1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# DO NOT USE THIS IN PRODUCTION ENVIRONMENTS!
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCCookieSameSite On
OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ";"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "%OIDC_METADATA_URL%"
OIDCClientID "%OIDC_CLIENT_ID%"
OIDCClientSecret "%OIDC_CLIENT_SECRET%"
OIDCPKCEMethod "S256"
OIDCCryptoPassphrase "openstack"
OIDCRedirectURI "https://%HOST_IP%/identity/v3/redirect_uri"
<Location "/v3/redirect_uri">
Require valid-user
AuthType openid-connect
</Location>
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<Location ~ "/v3/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
OIDCOAuthClientID "%OIDC_CLIENT_ID%"
OIDCOAuthClientSecret "%OIDC_CLIENT_SECRET%"
OIDCOAuthIntrospectionEndpoint "%OIDC_INTROSPECTION_URL%"
# Horizon favors the referrer to the Keystone URL that is set.
# https://github.com/openstack/horizon/blob/5e4ca1a9fdec04db08552e9e93fe372b8b8b45ae/openstack_auth/views.py#L192
Header always set Referrer-Policy "no-referrer"
|
