From e7455759ad4be5e1212d84e08612a4ff4ece8717 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Fri, 28 May 2021 17:22:31 +0100
Subject: [PATCH] Add OIDCDiscoverURL mod_oidc option

This gets rid of one of the steps in the authentication flow.

Closes-Bug: 1930055
Change-Id: I4ed4651b55a912f1d9aec7277bae6bb4776f1e0a
---
 ansible/roles/keystone/templates/wsgi-keystone.conf.j2     | 1 +
 .../notes/add-oidc-discover-url-83edb9f43f73a97f.yaml      | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 releasenotes/notes/add-oidc-discover-url-83edb9f43f73a97f.yaml

diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 124ea2ce69..3fad8cbb3f 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -79,6 +79,7 @@ LogLevel info
 {% for idp in keystone_identity_providers %}
 {% if idp.protocol == 'openid' %}
     <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
+      OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }}
       Require valid-user
       AuthType openid-connect
     </LocationMatch>
diff --git a/releasenotes/notes/add-oidc-discover-url-83edb9f43f73a97f.yaml b/releasenotes/notes/add-oidc-discover-url-83edb9f43f73a97f.yaml
new file mode 100644
index 0000000000..fd8bf8d528
--- /dev/null
+++ b/releasenotes/notes/add-oidc-discover-url-83edb9f43f73a97f.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with an OIDC authentication flow requiring unnecessary
+    action from the user. Redirecting to the target IdP page now happens
+    automatically.
+    `LP#930055 <https://bugs.launchpad.net/kolla-ansible/+bug/1930055>`__