keystone: Add support for OIDC options

Introduce keystone_federation_oidc_additional_options variable Change-Id: I39b9f35dab6f4e3ac2fcb505aabd2589e6e2ca69
2023-08-26 10:53:29 +02:00 · 2023-08-26 10:53:29 +02:00 · 85be68126e
commit 85be68126e
parent 28bf63f269
4 changed files with 17 additions and 0 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -234,6 +234,7 @@ keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keys
 keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
 keystone_federation_oidc_jwks_uri: ""
+keystone_federation_oidc_additional_options: {}

 # These variables are used to define multiple trusted Horizon dashboards.
 # keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@ -80,6 +80,9 @@ LogLevel info
    OIDCCacheType memcache
    OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
 {% endif %}
+{% for key, value in keystone_federation_oidc_additional_options.items() %}
+    {{ key }} {{ value }}
+{% endfor %}

    <Location ~ "/redirect_uri">
      Require valid-user
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@ -96,6 +96,14 @@ used by OpenStack command line client. Example config shown below:

    keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"

+Some identity providers need additional mod_auth_openidc config.
+Example for Keycloak shown below:
+
+.. code-block:: yaml
+
+    keystone_federation_oidc_additional_options:
+      OIDCTokenBindingPolicy: disabled
+
 Identity providers configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
+++ b/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds ``keystone_federation_oidc_additional_options`` that allows to pass
+    additional OIDC options.