openstack
/
puppet-keystone
Code Issues Proposed changes
OpenStack Keystone Puppet Module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1615 Commits
7 Branches
19 Tags
23 MiB
 
 
 
 
Tree: 94fbafd684
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '94fbafd684'
${ noResults }
puppet-keystone/templates/openidc.conf.erb

75 lines
4.3 KiB
Raw Blame History

LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCClaimPrefix "OIDC-"
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_max'] != nil -%>
OIDCCacheShmMax scope['::keystone::federation::openidc::openidc_cache_shm_max'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] != nil -%>
OIDCCacheShmEntrySize scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_dir'] != nil -%>
OIDCCacheDir scope['::keystone::federation::openidc::openidc_cache_dir'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_clean_interval'] != nil -%>
OIDCCacheFileCleanInterval scope['::keystone::federation::openidc::openidc_cache_clean_interval'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::memcached_servers_real'] != nil -%>
OIDCMemCacheServers "<%= scope['::keystone::federation::openidc::memcached_servers_real'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_server'] != nil -%>
OIDCRedisCacheServer "<%= scope['::keystone::federation::openidc::redis_server'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_password'] != nil -%>
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/websso/openid"
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</LocationMatch>
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
<%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
<%- elsif scope['keystone::federation::openidc::openidc_verify_method'] == 'jwks' -%>
OIDCOAuthVerifyJwksUri "<%= scope['keystone::federation::openidc::openidc_verify_jwks_uri']-%>"
<%- end -%>
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
<%- end -%>