"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/federation/openidc.inc" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

openidc.inc  (keystone-16.0.1):openidc.inc  (keystone-17.0.0)
skipping to change at line 62 skipping to change at line 62
In the Apache configuration for the keystone VirtualHost, set the following OIDC In the Apache configuration for the keystone VirtualHost, set the following OIDC
options: options:
.. code-block:: apache .. code-block:: apache
OIDCClaimPrefix "OIDC-" OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token" OIDCResponseType "id_token"
OIDCScope "openid email profile" OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-config uration OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-config uration
OIDCOAuthVerifyJwksUri https://www.googleapis.com/oauth2/v3/certs
OIDCClientID <openid_client_id> OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret> OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase <random string> OIDCCryptoPassphrase <random string>
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_pro viders/google/protocols/openid/auth OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_pro viders/google/protocols/openid/auth
``OIDCScope`` is the list of attributes that the user will authorize the ``OIDCScope`` is the list of attributes that the user will authorize the
Identity Provider to send to the Service Provider. ``OIDCClientID`` and Identity Provider to send to the Service Provider. ``OIDCClientID`` and
``OIDCClientSecret`` must be generated and obtained from the Identity Provider. ``OIDCClientSecret`` must be generated and obtained from the Identity Provider.
``OIDCProviderMetadataURL`` is a URL from which the Service Provider will fetch ``OIDCProviderMetadataURL`` is a URL from which the Service Provider will fetch
the Identity Provider's metadata. ``OIDCRedirectURI`` is a vanity URL that must the Identity Provider's metadata. ``OIDCOAuthVerifyJwksUri`` is a URL from
which the Service Provider will download the public key from the Identity
Provider to check if the user's access token is valid or not, this configuration
must be used while using the AuthType ``auth-openidc``, when using the AuthType
``openid-connect`` and the OIDCProviderMetadataURL is configured, this property
will not be necessary.
``OIDCRedirectURI`` is a vanity URL that must
point to a protected path that does not have any content, such as an extension point to a protected path that does not have any content, such as an extension
of the protected federated auth path. of the protected federated auth path.
.. note:: .. note::
If using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix` must If using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix` must
be specified to have only alphanumerics or a dash ("-"). This is because be specified to have only alphanumerics or a dash ("-"). This is because
`mod_wsgi blocks headers that do not fit this criteria`_. `mod_wsgi blocks headers that do not fit this criteria`_.
.. _mod_wsgi blocks headers that do not fit this criteria: http://modwsgi.readth edocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed .. _mod_wsgi blocks headers that do not fit this criteria: http://modwsgi.readth edocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed
skipping to change at line 95 skipping to change at line 102
Configure each protected path to use the ``openid-connect`` AuthType: Configure each protected path to use the ``openid-connect`` AuthType:
.. code-block:: apache .. code-block:: apache
<Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth> <Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth>
Require valid-user Require valid-user
AuthType openid-connect AuthType openid-connect
</Location> </Location>
.. note::
To add support to Bearer Access Token authentication flow that is used by
applications that do not adopt the browser flow, such the OpenStack CLI, you
will need to change the AuthType from ``openid-connect`` to
``auth-openidc``.
Do the same for the WebSSO auth paths if using horizon: Do the same for the WebSSO auth paths if using horizon:
.. code-block:: apache .. code-block:: apache
<Location /v3/auth/OS-FEDERATION/websso/openid> <Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user Require valid-user
AuthType openid-connect AuthType openid-connect
</Location> </Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/google/protocols/openid/w ebsso> <Location /v3/auth/OS-FEDERATION/identity_providers/google/protocols/openid/w ebsso>
Require valid-user Require valid-user
skipping to change at line 121 skipping to change at line 134
# systemctl reload apache2 # systemctl reload apache2
.. note:: .. note::
When creating :ref:`mapping rules <create_a_mapping>`, in keystone, note that the 'remote' When creating :ref:`mapping rules <create_a_mapping>`, in keystone, note that the 'remote'
attributes will be prefixed, with ``HTTP_``, so for instance, if you set attributes will be prefixed, with ``HTTP_``, so for instance, if you set
``OIDCClaimPrefix`` to ``OIDC-``, then a typical remote value to check for ``OIDCClaimPrefix`` to ``OIDC-``, then a typical remote value to check for
is: ``HTTP_OIDC_ISS``. is: ``HTTP_OIDC_ISS``.
Configuring Multiple Identity Providers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To configure multiples Identity Providers in your environment you will need to
set your OIDC options like the following options:
.. code-block:: apache
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCMetadataDir <IDP metadata directory>
OIDCCryptoPassphrase <random string>
OIDCRedirectURI https://sp.keystone.example.org/redirect_uri
OIDCOAuthVerifyCertFiles <kid>#</path/to-cert.pem> <kid2>#</path/to-cert2.pe
m> <kidN>#</path/to-certN.pem>
The ``OIDCOAuthVerifyCertFiles`` is a tuple separated with `space`
containing the key-id (kid) of the Issuer's public key and a path to
the Issuer certificate. The separator ``#`` is used to split the (``kid``)
and the public certificate address
The metadata folder configured in the option ``OIDCMetadataDir`` must have all
your Identity Providers configurations, the name of the files will be
the name (with path) of the Issuers like:
.. code-block::
- <IDP metadata directory>
|
- accounts.google.com.client
|
- accounts.google.com.conf
|
- accounts.google.com.provider
|
- keycloak.example.org%2Fauth%2Frealms%2Fidp.client
|
- keycloak.example.org%2Fauth%2Frealms%2Fidp.conf
|
- keycloak.example.org%2Fauth%2Frealms%2Fidp.provider
.. note::
The name of the file must be url-encoded if needed, as the Apache2 mod_auth_op
enidc
will get the raw value from the query parameter ``iss`` from the http request
and check if there is a metadata with this name, as the query parameter is
url-encoded, so the metadata file name need to be encoded too. For example, if
you have an
Issuer with ``/`` in the URL, then you need to escape it to ``%2F`` by
applying a URL escape in the file name.
The content of these files must be a JSON like
``accounts.google.com.client``:
.. code-block:: json
{
"client_id":"<openid_client_id>",
"client_secret":"<openid_client_secret>"
}
The ``.client`` file handles the SP credentials in the Issuer.
``accounts.google.com.conf``:
This file will be a JSON that overrides some of OIDC options. The options
that are able to be overridden are listed in the
`OpenID Connect Apache2 plugin documentation`_.
.. _`OpenID Connect Apache2 plugin documentation`: https://github.com/zmartzone/
mod_auth_openidc/wiki/Multiple-Providers#opclient-configuration
If you do not want to override the config values, you can leave this file as
an empty JSON like ``{}``.
``accounts.google.com.provider``:
This file will contain all specifications about the IdentityProvider. To
simplify, you can just use the JSON returned in the ``.well-known`` endpoint:
.. code-block:: json
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}
Continue configuring keystone Continue configuring keystone
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:ref:`Continue configuring keystone <federation_configuring_keystone>` :ref:`Continue configuring keystone <federation_configuring_keystone>`
 End of changes. 4 change blocks. 
1 lines changed or deleted 150 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)