[RFE] additional options for mod_auth_openidc config

Bug #2030816 reported by Freerk-Ole Zakfeld
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
New
Undecided
Unassigned

Bug Description

When using mod_auth_openidc to authenticate against a Keycloak IDP, there needs to be the additional option `OIDCTokenBindingPolicy "disabled"` set. This will prevent mod_auth_openidc from including the field `id_token_token_binding_cnf ` which, as of now, is not supported by Keycloak (see https://github.com/keycloak/keycloak/issues/22323#issuecomment-1670311035 for reference).

Since wsgi-keystone.conf is not merged with custom config, it is not very easy to change this option without creating an entire own full config.

description: updated
Revision history for this message
Michal Nasiadka (mnasiadka) wrote :

I think we could solve that with a generic variable allowing to add custom OIDC* settings to mod_auth_openidc - are you willing to contribute that feature?

summary: - mod_auth_openidc config requires additional option for Keycloak
+ [RFE] additional options for mod_auth_openidc config
Revision history for this message
Freerk-Ole Zakfeld (freerkzakfeld) wrote :

Sure, I created a change (https://review.opendev.org/c/openstack/kolla-ansible/+/892831) is there anything else I need to do?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.