From 2d52f7e331ec7141b79652a538f6c5ecff1fd94e Mon Sep 17 00:00:00 2001 From: Sven Kieske Date: Wed, 11 Sep 2024 18:26:13 +0200 Subject: [PATCH] Add an option to set OIDCXForwardedHeaders Closes-Bug: #2080402 Signed-off-by: Sven Kieske Change-Id: Idf750fb882dae2864922da8620cd2a143bc0ecce --- ansible/roles/keystone/defaults/main.yml | 4 ++++ ansible/roles/keystone/templates/wsgi-keystone.conf.j2 | 1 + ...ne-oidc-forwarded-headers-option-d153c6292cf20b26.yaml | 8 ++++++++ 3 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 1945142c48..803663a753 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -234,6 +234,10 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key keystone_should_remove_attribute_mappings: False keystone_should_remove_identity_providers: False keystone_federation_oidc_response_type: "id_token" +# can be set to any supported headers, according to +# https://github.com/OpenIDC/mod_auth_openidc/blob/ea3af872dcdbb4634a7e541c5e8c7326dafbb090/auth_openidc.conf +# e.g."X-Forwarded-Proto", "X-Forwarded-Port" etc. +keystone_federation_oidc_forwarded_headers: "" keystone_federation_oidc_claim_delimiter: ";" keystone_federation_oidc_scopes: "openid email profile" diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index d8db570257..8275b8b917 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -58,6 +58,7 @@ LogLevel info {% endif -%} {% if keystone_enable_federation_openid | bool %} + OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}" OIDCClaimPrefix "OIDC-" OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}" OIDCResponseType "{{ keystone_federation_oidc_response_type }}" diff --git a/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml b/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml new file mode 100644 index 0000000000..9414e567dd --- /dev/null +++ b/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Add an option to set OIDCX forwarded headers in keystone. This is useful + when keystone is behind a proxy and the proxy is adding headers to the + request. The new option is ``keystone_federation_oidc_forwarded_headers``. + The default value is empty, to preserve the current behavior. + `LP#2080402 `__