From 3b283edf8a2c2d51236631a9fcd9b3f5f744f6ed Mon Sep 17 00:00:00 2001
From: Georgina Shippey <georgina.shippey@bbc.co.uk>
Date: Tue, 28 Apr 2020 18:00:44 +0100
Subject: [PATCH] Add option for OIDCOutgoingProxy for mod_auth_openidc

Allows a user to specify the OIDCOutgoingProxy setting for mod_auth_openidc
when setting up an OIDC identity provider.

Change-Id: Ib37ace634f81e4f691d0b1aa8c52424a1c851da4
---
 defaults/main.yml                | 1 +
 templates/keystone-httpd.conf.j2 | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8f1be538..0bd12c78 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -436,6 +436,7 @@ keystone_sp: {}
 #      oidc_client_secret: secret
 #      oidc_crypto_passphrase: random string
 #      oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
+#      oidc_outgoing_proxy: "proxy address" (optional setting)
 #      entity_ids:
 #        - 'https://identity-provider/openid-endpoint/'
 #      federated_identities:
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index d77895c3..0507eee7 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -45,7 +45,10 @@ Listen {{ keystone_service_port }}
     OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
     {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
     OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
-    {% endif %}
+    {% endif -%}
+    {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%}
+    OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }}
+    {% endif -%}
 
     <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
       Require valid-user