openstack/charm-keystone-openidc
Code Issues Proposed changes
f93b4451fb
charm-keystone-openidc/templates/apache-openidc-location.conf
Felipe Reyes f93b4451fb Add OIDCOAuth config to Apache. 
This change introduces the configuration of OAuth to enable auth-openidc
which is browser-less.

When enable-oauth is set to true (the default) and
oidc-auth-verify-jwks-uri is empty, the charm will try use
oidc-oauth-introspection-endpoint if set, otherwise the charm will fetch
the content at oidc-provider-metadata-url and use the value available at
the key introspection_endpoint.
2022-08-16 10:44:26 -04:00

81 lines
3.1 KiB
ApacheConf
Raw Blame History

{# -*- mode: apache -*- #}
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
{% if options.oidc_provider_metadata_url -%}
OIDCProviderMetadataURL {{ options.oidc_provider_metadata_url }}
{% endif -%}
{% if options.oidc_provider_issuer -%}
OIDCProviderIssuer {{ options.oidc_provider_issuer }}
{% endif -%}
{% if options.oidc_provider_auth_endpoint -%}
OIDCProviderAuthorizationEndpoint {{ options.oidc_provider_auth_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint -%}
OIDCProviderTokenEndpoint {{ options.oidc_provider_token_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint_auth -%}
OIDCProviderTokenEndpointAuth {{ options.oidc_provider_token_endpoint_auth }}
{% endif -%}
{% if options.oidc_provider_user_info_endpoint -%}
OIDCProviderUserInfoEndpoint {{ options.oidc_provider_user_info_endpoint }}
{% endif -%}
{% if options.oidc_provider_jwks_url -%}
OIDCProviderJwksUri {{ options.oidc_provider_jwks_url }}
{% endif -%}
OIDCClientID {{ options.oidc_client_id }}
{% if options.oidc_client_secret -%}
OIDCClientSecret {{ options.oidc_client_secret }}
{% endif -%}
OIDCCryptoPassphrase {{ options.oidc_crypto_passphrase }}
OIDCRedirectURI {{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth
{% if options.oidc_remote_user_claim -%}
OIDCRemoteUserClaim {{ options.oidc_remote_user_claim }}
{% endif -%}
{% if options.oidc_provider_jwks_uri -%}
OIDCProviderJwksUri {{ options.oidc_provider_jwks_uri }}
{% endif -%}
{%- if options.enable_oauth %}
{%- if options.oidc_auth_verify_jwks_uri %}
OIDCOAuthVerifyJwksUri {{ options.oidc_auth_verify_jwks_uri }}
{%- else %}
OIDCOAuthIntrospectionEndpoint {{ options.oidc_oauth_introspection_endpoint|default(options.provider_metadata.introspection_endpoint) }}
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
OIDCOAuthClientID {{ options.oidc_client_id }}
{%- if options.oidc_client_secret %}
OIDCOAuthClientSecret {{ options.oidc_client_secret }}
{%- endif %}
{%- endif %}
{%- endif %}
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth>
AuthType {{ options.auth_type }}
Require valid-user
{%- if options.debug %}
LogLevel debug
{%- endif %}
</LocationMatch>
# Support for websso from Horizon
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso"
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}"
<Location /v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}>
Require valid-user
AuthType openid-connect
{%- if options.debug %}
LogLevel debug
{%- endif %}
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso>
Require valid-user
AuthType openid-connect
{%- if options.debug %}
LogLevel debug
{%- endif %}
</Location>
View Git Blame Copy Permalink