4.1 KiB
Setting Up OpenID Connect
See keystone-as-sp
before proceeding with these OpenIDC-specific instructions.
These examples use Google as an OpenID Connect Identity Provider. The Service Provider must be added to the Identity Provider in the Google API console.
Configuring Apache HTTPD for mod_auth_openidc
Note
You are advised to carefully examine the mod_auth_openidc documentation.
Install the Module
Install the Apache module package. For example, on Ubuntu:
# apt-get install libapache2-mod-auth-openidc
The package and module name will differ between distributions.
Configure mod_auth_openidc
In the Apache configuration for the keystone VirtualHost, set the following OIDC options:
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration<openid_client_id>
OIDCClientID <openid_client_secret>
OIDCClientSecret <random string>
OIDCCryptoPassphrase .org/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth OIDCRedirectURI https://sp.keystone.example
OIDCScope
is the list of attributes that the user will
authorize the Identity Provider to send to the Service Provider.
OIDCClientID
and OIDCClientSecret
must be
generated and obtained from the Identity Provider.
OIDCProviderMetadataURL
is a URL from which the Service
Provider will fetch the Identity Provider's metadata.
OIDCRedirectURI
is a vanity URL that must point to a
protected path that does not have any content, such as an extension of
the protected federated auth path.
Note
If using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash ("-"). This is because mod_wsgi blocks headers that do not fit this criteria.
Configure Protected Endpoints
Configure each protected path to use the openid-connect
AuthType:
<Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth>
valid-user
RequireAuthType openid-connect
</Location>
Do the same for the WebSSO auth paths if using horizon:
<Location /v3/auth/OS-FEDERATION/websso/openid>
valid-user
RequireAuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/google/protocols/openid/websso>
valid-user
RequireAuthType openid-connect
</Location>
Remember to reload Apache after altering the VirtualHost:
# systemctl reload apache2
Note
When creating mapping
rules, in keystone, note that the 'remote' attributes will be
prefixed, with HTTP_
, so for instance, if you set
OIDCClaimPrefix
to OIDC-
, then a typical
remote value to check for is: HTTP_OIDC_ISS
.