Merge "Add an option to set OIDCXForwardedHeaders"

2024-11-28 15:18:16 +00:00 · 2024-11-28 15:18:16 +00:00 · 93420ed41b
commit 93420ed41b
parent 755bc7470a 2d52f7e331
3 changed files with 13 additions and 0 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -234,6 +234,10 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
 keystone_federation_oidc_response_type: "id_token"
+# can be set to any supported headers, according to
+# https://github.com/OpenIDC/mod_auth_openidc/blob/ea3af872dcdbb4634a7e541c5e8c7326dafbb090/auth_openidc.conf
+# e.g."X-Forwarded-Proto", "X-Forwarded-Port" etc.
+keystone_federation_oidc_forwarded_headers: ""
 keystone_federation_oidc_claim_delimiter: ";"
 keystone_federation_oidc_scopes: "openid email profile"

--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@ -58,6 +58,7 @@ LogLevel info
 {% endif -%}

 {% if keystone_enable_federation_openid | bool %}
+    OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}"
    OIDCClaimPrefix "OIDC-"
    OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
    OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
--- a/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml
+++ b/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Add an option to set OIDCX forwarded headers in keystone. This is useful
+    when keystone is behind a proxy and the proxy is adding headers to the
+    request. The new option is ``keystone_federation_oidc_forwarded_headers``.
+    The default value is empty, to preserve the current behavior.
+    `LP#2080402 <https://bugs.launchpad.net/bugs/2080402>`__