openstack/charm-keystone-openidc
Code Issues Proposed changes
charm-keystone-openidc/templates/apache-openidc-location.conf
Felipe Reyes 10c79bde63 Add property oauth_introspection_endpoint 
The property oauth_introspection_endpoint reads from the metadata url to
determine the introspection endpoint when not passed explicitly in the
configuration.

This patch includes various fixes to make the hooks execution more
robust.
2022-09-08 23:17:00 -04:00

78 lines
2.9 KiB
ApacheConf
Raw Blame History

{# -*- mode: apache -*- #}
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
{% if options.oidc_provider_metadata_url -%}
OIDCProviderMetadataURL {{ options.oidc_provider_metadata_url }}
{% endif -%}
{% if options.oidc_provider_issuer -%}
OIDCProviderIssuer {{ options.oidc_provider_issuer }}
{% endif -%}
{% if options.oidc_provider_auth_endpoint -%}
OIDCProviderAuthorizationEndpoint {{ options.oidc_provider_auth_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint -%}
OIDCProviderTokenEndpoint {{ options.oidc_provider_token_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint_auth -%}
OIDCProviderTokenEndpointAuth {{ options.oidc_provider_token_endpoint_auth }}
{% endif -%}
{% if options.oidc_provider_user_info_endpoint -%}
OIDCProviderUserInfoEndpoint {{ options.oidc_provider_user_info_endpoint }}
{% endif -%}
{% if options.oidc_provider_jwks_uri -%}
OIDCProviderJwksUri {{ options.oidc_provider_jwks_uri }}
{% endif -%}
OIDCClientID {{ options.oidc_client_id }}
{% if options.oidc_client_secret -%}
OIDCClientSecret {{ options.oidc_client_secret }}
{% endif -%}
OIDCCryptoPassphrase {{ options.oidc_crypto_passphrase }}
OIDCRedirectURI {{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth
{% if options.oidc_remote_user_claim -%}
OIDCRemoteUserClaim {{ options.oidc_remote_user_claim }}
{% endif -%}
{%- if options.enable_oauth %}
{%- if options.oidc_oauth_verify_jwks_uri %}
OIDCOAuthVerifyJwksUri {{ options.oidc_oauth_verify_jwks_uri }}
{%- else %}
OIDCOAuthIntrospectionEndpoint {{ options.oauth_introspection_endpoint }}
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
OIDCOAuthClientID {{ options.oidc_client_id }}
{%- if options.oidc_client_secret %}
OIDCOAuthClientSecret {{ options.oidc_client_secret }}
{%- endif %}
{%- endif %}
{%- endif %}
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth>
AuthType {{ options.auth_type }}
Require valid-user
{%- if options.debug %}
LogLevel debug
{%- endif %}
</LocationMatch>
# Support for websso from Horizon
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso"
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}"
<Location /v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}>
Require valid-user
AuthType openid-connect
{%- if options.debug %}
LogLevel debug
{%- endif %}
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso>
Require valid-user
AuthType openid-connect
{%- if options.debug %}
LogLevel debug
{%- endif %}
</Location>
View Git Blame Copy Permalink