openstack/charm-keystone-openidc
Code Issues Proposed changes
f93b4451fb
charm-keystone-openidc/config.yaml
Felipe Reyes f93b4451fb Add OIDCOAuth config to Apache. 
This change introduces the configuration of OAuth to enable auth-openidc
which is browser-less.

When enable-oauth is set to true (the default) and
oidc-auth-verify-jwks-uri is empty, the charm will try use
oidc-oauth-introspection-endpoint if set, otherwise the charm will fetch
the content at oidc-provider-metadata-url and use the value available at
the key introspection_endpoint.
2022-08-16 10:44:26 -04:00

111 lines
3.7 KiB
YAML
Raw Blame History

options:
debug:
default: False
type: boolean
description: |
Enable debug logging.
remote-id-attribute:
default: 'HTTP_OIDC_ISS'
type: string
description: |
Attribute used to obtain the entity ID of the OpenID Connect Provider.
oidc-client-id:
default: ''
type: string
description: |
Client identifier used to connect to the OpenID Connect Provider.
oidc-client-secret:
default: ''
type: string
description: |
Password used to authenticate with the OpenID Connect Provider.
oidc-provider-metadata-url:
default: ''
type: string
description: |
URL to discover the OpenID Connect Provider and obtain information
needed to interact with it, including its OAuth 2.0 endpoint
locations. Example: https://example.com/.well-known/openid-configuration
oidc-provider-issuer:
default: ''
type: string
description: |
Open ID Connect Provider issuer identifier (e.g. https://example.com
). Used when oidc-provider-metadata-url is not set or the metadata
obtained from that URL does not set it.
oidc-provider-auth-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider authorization endpoint
(e.g. https://example.com/as/authorization.oauth2). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-token-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider token endpoint
(e.g. https://example.com/as/token.oauth2). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-token-endpoint-auth:
default: ''
type: string
description: |
Authentication method for the Open ID Connect Provider token endpoint,
possible options are: client_secret_basic, client_secret_post,
client_secret_jwt, private_key_jwt or none. Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-user-info-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider user info endpoint
(e.g. https://example.com/idp/userinfo.openid). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
auth-type:
default: 'auth-openidc'
type: string
description: |
To add support to Bearer Access Token authentication flow that is used
by applications that do not adopt the browser flow, such the OpenStack
CLI, the auth-type must be set to auth-openidc (the default) otherwise
to openid-connect.
protocol_id:
default: 'openid'
type: string
description: |
Federation protocol name.
oidc-remote-user-claim:
default: ''
type: string
description: |
The claim that is used when setting the REMOTE_USER variable on OpenID
Connect protected paths, for example: email.
oidc-provider-jwks-uri:
default: ''
type: string
description: |
.
enable-oauth:
default: true
type: boolean
description: |
Set to true to enable OAuth2 support.
oidc-oauth-verify-jwks-uri:
default: ''
type: string
description: |
The JWKs URL on which the Authorization Server publishes the keys used
to sign its JWT access tokens.
oidc-oauth-introspection-endpoint:
default: ''
type: string
description: |
OAuth 2.0 Authorization Server token introspection endpoint. When
`enable-oauth` is set to true and this option unset (the default), the
introspection endpoint available in the metadata will be used.
View Git Blame Copy Permalink