Setup OpenID Connect¶
Configuring mod_auth_openidc¶
Federate Keystone (SP) and an external IdP using OpenID Connect (mod_auth_openidc)
To install mod_auth_openidc on Ubuntu, perform the following:
sudo apt-get install libapache2-mod-auth-openidc
This module is available for other distributions (Fedora/CentOS/Red Hat) from: https://github.com/pingidentity/mod_auth_openidc/releases
In the keystone Apache site file, add the following as a top level option, to load the mod_auth_openidc module:
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
Also within the same file, locate the virtual host entry and add the following entries for OpenID Connect:
<VirtualHost *:5000>
...
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL <url_of_provider_metadata>
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
</LocationMatch>
</VirtualHost>
Note an example of an OIDCProviderMetadataURL instance is: https://accounts.google.com/.well-known/openid-configuration If not using OIDCProviderMetadataURL, then the following attributes must be specified: OIDCProviderIssuer, OIDCProviderAuthorizationEndpoint, OIDCProviderTokenEndpoint, OIDCProviderTokenEndpointAuth, OIDCProviderUserInfoEndpoint, and OIDCProviderJwksUri
Note, if using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash (“-”). This is because mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed for more details
Once you are done, restart your Apache daemon:
$ service apache2 restart
Tips¶
- When creating a mapping, note that the ‘remote’ attributes will be prefixed, with HTTP_, so for instance, if you set OIDCClaimPrefix to OIDC-, then a typical remote value to check for is: HTTP_OIDC_ISS.
- Don’t forget to add oidc as an [auth] plugin in keystone.conf, see Configure authentication drivers in keystone.conf