From d32197271f37211920bc7c760b4fb3d7c1d15721 Mon Sep 17 00:00:00 2001 From: Piotr Parczewski Date: Wed, 23 Feb 2022 10:57:33 +0100 Subject: [PATCH] Fix hard coded OIDC response type Closes-bug: 1959781 Change-Id: If574d2242aa6a875dcf624d95495e6cec6fefddd --- ansible/roles/keystone/defaults/main.yml | 1 + ansible/roles/keystone/templates/wsgi-keystone.conf.j2 | 2 +- .../fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml | 7 +++++++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 225b26832f..76241d54e2 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -212,4 +212,5 @@ keystone_trusted_dashboards: "{{ ['%s://%s/auth/websso/' % (public_protocol, kol keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and keystone_identity_providers | selectattr('protocol','equalto','openid') | list | count > 0 }}" keystone_should_remove_attribute_mappings: False keystone_should_remove_identity_providers: False +keystone_federation_oidc_response_type: "id_token" keystone_federation_oidc_scopes: "openid email profile" diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index 3fad8cbb3f..9f7236e68e 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -56,7 +56,7 @@ LogLevel info {% if keystone_enable_federation_openid %} OIDCClaimPrefix "OIDC-" OIDCClaimDelimiter ";" - OIDCResponseType "id_token" + OIDCResponseType "{{ keystone_federation_oidc_response_type }}" OIDCScope "{{ keystone_federation_oidc_scopes }}" OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }} {% if keystone_federation_openid_certificate_key_ids | length > 0 %} diff --git a/releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml b/releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml new file mode 100644 index 0000000000..f4cd2ce958 --- /dev/null +++ b/releasenotes/notes/fix-hardcoded-oidc-response-fc0f115f0b56cddf.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue with setting up OIDC based Keystone federation against IDP + that has a different response type than id_token. This can now be set using + a new variable ``keystone_federation_oidc_response_type``. + `LP#1959781 `__