Merge "Fix hard coded OIDC response type"

2022-02-28 13:42:17 +00:00 · 2022-02-28 13:42:17 +00:00 · 09db789a65
commit 09db789a65
parent 5e58d6d502 d32197271f
3 changed files with 9 additions and 1 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -212,4 +212,5 @@ keystone_trusted_dashboards: "{{ ['%s://%s/auth/websso/' % (public_protocol, kol
 keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and keystone_identity_providers | selectattr('protocol','equalto','openid') | list | count > 0 }}"
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
+keystone_federation_oidc_response_type: "id_token"
 keystone_federation_oidc_scopes: "openid email profile"
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@ -56,7 +56,7 @@ LogLevel info
 {% if keystone_enable_federation_openid %}
    OIDCClaimPrefix "OIDC-"
    OIDCClaimDelimiter ";"
-    OIDCResponseType "id_token"
+    OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
    OIDCScope "{{ keystone_federation_oidc_scopes }}"
    OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
 {% if keystone_federation_openid_certificate_key_ids | length > 0 %}
--- a/releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml
+++ b/releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with setting up OIDC based Keystone federation against IDP
+    that has a different response type than id_token. This can now be set using
+    a new variable ``keystone_federation_oidc_response_type``.
+    `LP#1959781 <https://bugs.launchpad.net/bugs/1959781>`__