openstack/puppet-keystone
Code Issues Proposed changes
7f4b153200
puppet-keystone/templates/openidc.conf.erb
Takashi Kajinami fe95db4cb0 Use puppetlabs-apache to load auth modules. 
... so that we don't have to maintain the required logics to enable
the module in our modules.

Related-Bug: #2006924
Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
2023-02-13 16:55:39 +09:00

79 lines
4.4 KiB
Plaintext
Raw Blame History

OIDCClaimPrefix "OIDC-"
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_max'] != nil -%>
OIDCCacheShmMax scope['::keystone::federation::openidc::openidc_cache_shm_max'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] != nil -%>
OIDCCacheShmEntrySize scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_dir'] != nil -%>
OIDCCacheDir scope['::keystone::federation::openidc::openidc_cache_dir'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_clean_interval'] != nil -%>
OIDCCacheFileCleanInterval scope['::keystone::federation::openidc::openidc_cache_clean_interval'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::memcached_servers_real'] != nil -%>
OIDCMemCacheServers "<%= scope['::keystone::federation::openidc::memcached_servers_real'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_server'] != nil -%>
OIDCRedisCacheServer "<%= scope['::keystone::federation::openidc::redis_server'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_password'] != nil -%>
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
<%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
<%- elsif scope['keystone::federation::openidc::openidc_verify_method'] == 'jwks' -%>
OIDCOAuthVerifyJwksUri "<%= scope['keystone::federation::openidc::openidc_verify_jwks_uri']-%>"
<%- end -%>
<Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
<%- else -%>
<Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType "openid-connect"
Require valid-user
</Location>
<%- end -%>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)
<Location "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</Location>
<Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</Location>
View Git Blame Copy Permalink