Setup OpenID Connect

Setup OpenID Connect

Configuring mod_auth_openidc

Federate Keystone (SP) and an external IdP using OpenID Connect (mod_auth_openidc)

To install mod_auth_openidc on Ubuntu, perform the following:

$ sudo apt-get install libapache2-mod-auth-openidc

This module is available for other distributions (Fedora/CentOS/Red Hat) from: https://github.com/pingidentity/mod_auth_openidc/releases

Enable the auth_openidc module:

$ sudo a2enmod auth_openidc

In the keystone vhost file, locate the virtual host entry and add the following entries for OpenID Connect:

<VirtualHost *:5000>

    ...

    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL <url_of_provider_metadata>
    OIDCClientID <openid_client_id>
    OIDCClientSecret <openid_client_secret>
    OIDCCryptoPassphrase openstack
    OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug
    </LocationMatch>
</VirtualHost>

Note an example of an OIDCProviderMetadataURL instance is: https://accounts.google.com/.well-known/openid-configuration If not using OIDCProviderMetadataURL, then the following attributes must be specified: OIDCProviderIssuer, OIDCProviderAuthorizationEndpoint, OIDCProviderTokenEndpoint, OIDCProviderTokenEndpointAuth, OIDCProviderUserInfoEndpoint, and OIDCProviderJwksUri

Note, if using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash (“-“). This is because mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed for more details

Once you are done, restart your Apache daemon:

$ sudo service apache2 restart

Tips

  1. When creating a mapping, note that the ‘remote’ attributes will be prefixed, with HTTP_, so for instance, if you set OIDCClaimPrefix to OIDC-, then a typical remote value to check for is: HTTP_OIDC_ISS.
  2. Don’t forget to add openid as an [auth] plugin in keystone.conf, see Configure authentication drivers in keystone.conf
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.