© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Thank you, Gaetan, for the detailed information and documentation!
In response to the patches you have outlined, I can report at this time:
- Patch 1:
We have merged a change to the Keystone charm that adds the missing Apache configuration for including the OpenIDC configuration directory. That change is at:
https:/
- Patch 2:
I submitted a change to the README for the Keystone OpenIDC charm to include adding the relation between Keystone and Horizon for the websso-
https:/
- Patch3 :
It looks like the charm code has some errors where the Identity provider ID and the protocol ID are exchanged or improperly defined. This will require a bit more thinking about how best to resolve these errors.
- Patch 4:
Based on the mod_auth_openidc documentation, it seems like OIDCRedirectURI should only be set once. I think the additional declarations should be removed.
- Patch 5:
Adding configuration for OIDCXForwardedH
- Patch 6:
We will need to manage mod_auth_openidc's behavior for calculating the session cookie if we plan to use multiple units of Keystone with load balancers or proxies. mod_auth_openidc can solve this problem with a shared cookie/session store like memcached, but I would prefer to not introduce an additional service if possible. The default behavior for mod_auth_oidc is to pass a session cookie to the web browser, and the cookie lasts for as long as the browser session lasts. Adding the "persistent" flag makes the cookie persist through multiple browser restarts. The cookie will still expire normally within the timeout configured in mod_auth_openidc. The default timeout is 300 seconds. While changing the Apache configuration is the simplest approach, this part of the work could use more thinking.
Thank you again, Gaetan, for your help and for carefully recording all of the changes to get the OIDC federation working.