Merge "add support for enabling oauth in keystone openidc integration"

2019-07-30 00:30:10 +00:00 · 2019-07-30 00:30:10 +00:00 · f6f5f2f0da
commit f6f5f2f0da
parent 0d1bf7ae8a 5c0e4e7355
3 changed files with 27 additions and 0 deletions
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@ -340,6 +340,16 @@ parameters:
    description: >-
      Attribute to be used to obtain the entity ID of the Identity Provider
      from the environment.
+  KeystoneOpenIdcEnableOAuth:
+    type: boolean
+    default: false
+    description: >-
+      Enable OAuth 2.0 integration.
+  KeystoneOpenIdcIntrospectionEndpoint:
+    type: string
+    default: ''
+    description: >-
+      OAuth 2.0 introspection endpoint for mod_auth_openidc

 resources:

@ -552,6 +562,10 @@ outputs:
                get_param: KeystoneOpenIdcResponseType
              keystone::federation::openidc::remote_id_attribute:
                get_param: KeystoneOpenIdcRemoteIdAttribute
+              keystone::federation::openidc::openidc_oauth_enabled:
+                get_param: KeystoneOpenIdcEnableOAuth
+              keystone::federation::openidc::openidc_introspection_endpoint:
+                get_param: KeystoneOpenIdcIntrospectionEndpoint
            - {}
          -
            if:
--- a/environments/enable-federation-openidc.yaml
+++ b/environments/enable-federation-openidc.yaml
@ -30,6 +30,10 @@ parameter_defaults:
  # Type: string
  KeystoneOpenIdcIdpName: myidp

+  # OAuth 2.0 introspection endpoint for mod_auth_openidc
+  # Type: string
+  KeystoneOpenIdcIntrospectionEndpoint: https://myidp.example.test/auth/realms/openstack/protocol/openid-connect/token/introspect
+
  # The url that points to your OpenID Connect provider metadata
  # Type: string
  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
@ -70,6 +74,10 @@ parameter_defaults:
  # Type: boolean
  KeystoneOpenIdcEnable: True

+  # Enable OAuth 2.0 integration.
+  # Type: boolean
+  KeystoneOpenIdcEnableOAuth: True
+
  # Enable support for Web Single Sign-On
  # Type: boolean
  WebSSOEnable: True
--- a/sample-env-generator/openidc.yaml
+++ b/sample-env-generator/openidc.yaml
@ -16,6 +16,8 @@ environments:
          - KeystoneOpenIdcCryptoPassphrase
          - KeystoneOpenIdcResponseType
          - KeystoneOpenIdcRemoteIdAttribute
+          - KeystoneOpenIdcEnableOAuth
+          - KeystoneOpenIdcIntrospectionEndpoint
      deployment/horizon/horizon-container-puppet.yaml:
        parameters:
          - WebSSOEnable
@ -25,16 +27,19 @@ environments:
    sample_values:
      KeystoneFederationEnable: True
      KeystoneOpenIdcEnable: True
+      KeystoneOpenIdcEnableOAuth: True
      WebSSOEnable: True
      KeystoneAuthMethods: 'password,token,openid'
      KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
      KeystoneOpenIdcIdpName: 'myidp'
      KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
+      KeystoneOpenIdcIntrospectionEndpoint: 'https://myidp.example.test/auth/realms/openstack/protocol/openid-connect/token/introspect'
      KeystoneOpenIdcClientId: 'myclientid'
      KeystoneOpenIdcClientSecret: 'myclientsecret'
    static:
      - KeystoneFederationEnable
      - KeystoneOpenIdcEnable
+      - KeystoneOpenIdcEnableOAuth
      - WebSSOEnable
    description: |
      This is an example template on how to configure keystone federation for