Fix hard coded OIDC response type

Closes-bug: 1959781
Change-Id: If574d2242aa6a875dcf624d95495e6cec6fefddd

ansible/roles/keystone/defaults/main.yml

@@ -212,4 +212,5 @@ keystone_trusted_dashboards: "{{ ['%s://%s/auth/websso/' % (public_protocol, kol
 keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and keystone_identity_providers | selectattr('protocol','equalto','openid') | list | count > 0 }}"
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
+keystone_federation_oidc_response_type: "id_token"
 keystone_federation_oidc_scopes: "openid email profile"

ansible/roles/keystone/templates/wsgi-keystone.conf.j2

@@ -56,7 +56,7 @@ LogLevel info
 {% if keystone_enable_federation_openid %}
     OIDCClaimPrefix "OIDC-"
     OIDCClaimDelimiter ";"
-    OIDCResponseType "id_token"
+    OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
     OIDCScope "{{ keystone_federation_oidc_scopes }}"
     OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
 {% if keystone_federation_openid_certificate_key_ids | length > 0 %}

releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with setting up OIDC based Keystone federation against IDP
+    that has a different response type than id_token. This can now be set using
+    a new variable ``keystone_federation_oidc_response_type``.
+    `LP#1959781 <https://bugs.launchpad.net/bugs/1959781>`__