kolla-ansible

[RFE] additional options for mod_auth_openidc config

Bug #2030816 reported by Freerk-Ole Zakfeld on 2023-08-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	New	Undecided	Unassigned

Bug Description

When using mod_auth_openidc to authenticate against a Keycloak IDP, there needs to be the additional option `OIDCTokenBindingPolicy "disabled"` set. This will prevent mod_auth_openidc from including the field `id_token_token_binding_cnf ` which, as of now, is not supported by Keycloak (see https://github.com/keycloak/keycloak/issues/22323#issuecomment-1670311035 for reference).

Since wsgi-keystone.conf is not merged with custom config, it is not very easy to change this option without creating an entire own full config.

See original description

Freerk-Ole Zakfeld (freerkzakfeld) on 2023-08-08

description:

updated

Revision history for this message

Michal Nasiadka (mnasiadka) wrote on 2023-08-25:

I think we could solve that with a generic variable allowing to add custom OIDC* settings to mod_auth_openidc - are you willing to contribute that feature?

summary:

- mod_auth_openidc config requires additional option for Keycloak
+ [RFE] additional options for mod_auth_openidc config

Revision history for this message

Freerk-Ole Zakfeld (freerkzakfeld) wrote on 2023-08-26:

Sure, I created a change (https://review.opendev.org/c/openstack/kolla-ansible/+/892831) is there anything else I need to do?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.