openstack/charm-keystone-openidc
Code Issues Proposed changes

Fix JSONDecodeError from misconfigured OIDCRedirectURI

Browse Source 
This change makes the OIDCRedirectURI into a fake URI. If
OIDCRedirectURI matches a real Keystone federation auth
endpoint, the Keystone federation auth journey breaks.

Closes-Bug: 2075349
Change-Id: I39ad349db5175ca8c0e1669f784c70042e18a3f6
(cherry picked from commit 69c86c320b4e62845cca3cbaded4768493cd5dd8)
This commit is contained in:
Jadon Naas 2024-07-31 12:03:17 -04:00
parent 8692fe0a5c
commit e35ace8d41
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
templates/apache-openidc-location.conf
View File

@ -42,7 +42,7 @@ OIDCClientID {{ options.oidc_client_id }}
OIDCClientSecret {{ options.oidc_client_secret }}
{% endif -%}
OIDCCryptoPassphrase {{ options.oidc_crypto_passphrase }}
OIDCRedirectURI {{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth
OIDCRedirectURI {{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/redirect_uri
{% if options.oidc_remote_user_claim -%}
OIDCRemoteUserClaim {{ options.oidc_remote_user_claim }}
@ -64,6 +64,14 @@ OIDCOAuthClientSecret {{ options.oidc_client_secret }}
OIDCOutgoingProxy {{ options.oidc_outgoing_proxy }}
{% endif -%}
<LocationMatch /v3/redirect_uri>
Require valid-user
AuthType {{ options.auth_type }}
{%- if options.debug %}
LogLevel debug
{%- endif %}
</LocationMatch>
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth>
AuthType {{ options.auth_type }}
Require valid-user