options:
  debug:
    default: False
    type: boolean
    description: |
      Enable debug logging.
  remote-id-attribute:
    default: 'HTTP_OIDC_ISS'
    type: string
    description: |
      Attribute used to obtain the entity ID of the OpenID Connect Provider.
  oidc-client-id:
    default: ''
    type: string
    description: |
      Client identifier used to connect to the OpenID Connect Provider.
  oidc-client-secret:
    default: ''
    type: string
    description: |
      Password used to authenticate with the OpenID Connect Provider.
  oidc-provider-metadata-url:
    default: ''
    type: string
    description: |
      URL to discover the OpenID Connect Provider and obtain information
      needed to interact with it, including its OAuth 2.0 endpoint
      locations. Example: https://example.com/.well-known/openid-configuration
  oidc-provider-issuer:
    default: ''
    type: string
    description: |
      Open ID Connect Provider issuer identifier (e.g. https://example.com
      ). Used when oidc-provider-metadata-url is not set or the metadata
      obtained from that URL does not set it.
  oidc-provider-auth-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider authorization endpoint
      (e.g. https://example.com/as/authorization.oauth2). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-token-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider token endpoint
      (e.g. https://example.com/as/token.oauth2). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-token-endpoint-auth:
    default: ''
    type: string
    description: |
      Authentication method for the Open ID Connect Provider token endpoint,
      possible options are: client_secret_basic, client_secret_post,
      client_secret_jwt, private_key_jwt or none. Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-user-info-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider user info endpoint
      (e.g. https://example.com/idp/userinfo.openid). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-x-forwarded-headers:
    default: ''
    type: string
    description: |
      X-Forwarded-* headers from reverse proxies that mod_auth_openidc should
      look for. Must be one or more of "X-Forwarded-Host", "X-Forwarded-Port",
      "X-Forwarded-Proto", "Forwarded", or "none". mod_auth_openidc ignores
      this setting if it is "none" or undefined. Use this setting when using
      a proxy that changes the protocol, host, or port when handling the
      authentication workflow.
  oidc-state-input-headers:
    default: 'user-agent'
    type: string
    description: |
      Define the headers mod_auth_openidc uses to calculate the browser
      fingerprint during authentication. Set to "none" if using multiple
      units of Keystone behind a load balancer or proxy.
  oidc-session-type:
    default: 'server-cache'
    type: string
    description: |
      Set where OpenID Connect session cookies are stored. BY default cookies
      are stored on the web server. Can be one of 'server-cache',
      'server-cache:persistent', 'client-cookie', 'client-cookie:persistent',
      'client-cookie:store_id_token', or
      'client-cookie:persistent:store_id_token'. When using multiple units
      of Keystone behind a proxy, use 'client-cookie:persistent' if you are
      not using shared session storage for Keystone.
  oidc-response-type:
    default: 'id_token'
    type: string
    description: |
      Define the OIDCResponseType for mod_auth_openidc uses limit
      the responses type. It must be one of the following:
      code|id_token|id_token token|code id_token|code token|code id_token token
      Empty string will remove that option completely.
  auth-type:
    default: 'auth-openidc'
    type: string
    description: |
      To add support to Bearer Access Token authentication flow that is used
      by applications that do not adopt the browser flow, such the OpenStack
      CLI, the auth-type must be set to auth-openidc (the default) otherwise
      to openid-connect.
  idp_id:
    default: ''
    type: string
    description: |
      The ID of the Identity Provider defined in Keystone.
  protocol_id:
    default: 'openid'
    type: string
    description: |
      Federation protocol name.
  oidc-remote-user-claim:
    default: ''
    type: string
    description: |
      The claim that is used when setting the REMOTE_USER variable on OpenID
      Connect protected paths, for example: email.
  oidc-provider-jwks-uri:
    default: ''
    type: string
    description: |
      .
  enable-oauth:
    default: true
    type: boolean
    description: |
      Set to true to enable OAuth2 support.
  oidc-oauth-verify-jwks-uri:
    default: ''
    type: string
    description: |
      The JWKs URL on which the Authorization Server publishes the keys used
      to sign its JWT access tokens.
  oidc-oauth-introspection-endpoint:
    default: ''
    type: string
    description: |
      OAuth 2.0 Authorization Server token introspection endpoint. When
      `enable-oauth` is set to true and this option unset (the default), the
      introspection endpoint available in the metadata will be used.
  user-facing-name:
    type: string
    default: 'OpenID Connect via mapped'
    description: |
      A user-facing name to be used for the identity provider and protocol
      combination. Used in the OpenStack dashboard.