From 85be68126e1220a1b2bb879188a1290db0f6edb5 Mon Sep 17 00:00:00 2001
From: fzakfeld <freerk@zakfeld.com>
Date: Sat, 26 Aug 2023 10:53:29 +0200
Subject: [PATCH] keystone: Add support for OIDC options

Introduce keystone_federation_oidc_additional_options variable

Change-Id: I39b9f35dab6f4e3ac2fcb505aabd2589e6e2ca69
---
 ansible/roles/keystone/defaults/main.yml                  | 1 +
 ansible/roles/keystone/templates/wsgi-keystone.conf.j2    | 3 +++
 doc/source/reference/shared-services/keystone-guide.rst   | 8 ++++++++
 .../notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml     | 5 +++++
 4 files changed, 17 insertions(+)
 create mode 100644 releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml

diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index 3a483d4b2e..649eb1aaff 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -234,6 +234,7 @@ keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keys
 keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
 keystone_federation_oidc_jwks_uri: ""
+keystone_federation_oidc_additional_options: {}
 
 # These variables are used to define multiple trusted Horizon dashboards.
 # keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 2e42f5a7d1..a6246ce065 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -80,6 +80,9 @@ LogLevel info
     OIDCCacheType memcache
     OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
 {% endif %}
+{% for key, value in keystone_federation_oidc_additional_options.items() %}
+    {{ key }} {{ value }}
+{% endfor %}
 
     <Location ~ "/redirect_uri">
       Require valid-user
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index dc3d766c54..c0f157cb84 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -96,6 +96,14 @@ used by OpenStack command line client. Example config shown below:
 
     keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
 
+Some identity providers need additional mod_auth_openidc config.
+Example for Keycloak shown below:
+
+.. code-block:: yaml
+
+    keystone_federation_oidc_additional_options:
+      OIDCTokenBindingPolicy: disabled
+
 Identity providers configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml b/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
new file mode 100644
index 0000000000..203842f9b6
--- /dev/null
+++ b/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds ``keystone_federation_oidc_additional_options`` that allows to pass
+    additional OIDC options.