keystone-openidc

Keystone OpenID Connect

  • OpenStack Charmers
Channel Revision Published Runs on
latest/edge 36 24 Feb 2025
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
latest/edge 35 24 Feb 2025
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
latest/edge 34 24 Feb 2025
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
latest/edge 33 24 Feb 2025
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
latest/edge 19 22 Aug 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
latest/edge 11 03 Aug 2023
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
zed/stable 5 23 Jan 2023
Ubuntu 22.04
yoga/stable 5 28 Jun 2024
Ubuntu 22.04
2024.1/stable 37 10 Mar 2025
Ubuntu 22.04
2023.2/stable 12 30 Nov 2023
Ubuntu 23.10 Ubuntu 22.04 Ubuntu 20.04
2023.1/stable 10 02 Jun 2023
Ubuntu 23.04 Ubuntu 22.04
juju deploy keystone-openidc --channel edge
Show information

Learn to deploy on juju >

Platform:

Ubuntu
24.04 23.10 23.04 22.04 20.04

Learn about configurations >

  • auth-type | string

    Default: auth-openidc

    To add support to Bearer Access Token authentication flow that is used by applications that do not adopt the browser flow, such the OpenStack CLI, the auth-type must be set to auth-openidc (the default) otherwise to openid-connect.

  • debug | boolean

    Enable debug logging.

  • enable-oauth | boolean

    Default: True

    Set to true to enable OAuth2 support.

  • idp_id | string

    The ID of the Identity Provider defined in Keystone.

  • oidc-client-id | string

    Client identifier used to connect to the OpenID Connect Provider.

  • oidc-client-secret | string

    Password used to authenticate with the OpenID Connect Provider.

  • oidc-oauth-introspection-endpoint | string

    OAuth 2.0 Authorization Server token introspection endpoint. When enable-oauth is set to true and this option unset (the default), the introspection endpoint available in the metadata will be used.

  • oidc-oauth-verify-jwks-uri | string

    The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.

  • oidc-provider-auth-endpoint | string

    Open ID Connect Provider authorization endpoint (e.g. https://example.com/as/authorization.oauth2). Used when oidc-provider-metadata-url is not set or the metadata obtained from that URL does not set it.

  • oidc-provider-issuer | string

    Open ID Connect Provider issuer identifier (e.g. https://example.com ). Used when oidc-provider-metadata-url is not set or the metadata obtained from that URL does not set it.

  • oidc-provider-jwks-uri | string

    .

  • oidc-provider-metadata-url | string

    URL to discover the OpenID Connect Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations. Example: https://example.com/.well-known/openid-configuration

  • oidc-provider-token-endpoint | string

    Open ID Connect Provider token endpoint (e.g. https://example.com/as/token.oauth2). Used when oidc-provider-metadata-url is not set or the metadata obtained from that URL does not set it.

  • oidc-provider-token-endpoint-auth | string

    Authentication method for the Open ID Connect Provider token endpoint, possible options are: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt or none. Used when oidc-provider-metadata-url is not set or the metadata obtained from that URL does not set it.

  • oidc-provider-user-info-endpoint | string

    Open ID Connect Provider user info endpoint (e.g. https://example.com/idp/userinfo.openid). Used when oidc-provider-metadata-url is not set or the metadata obtained from that URL does not set it.

  • oidc-remote-user-claim | string

    The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths, for example: email.

  • oidc-response-type | string

    Default: id_token

    Define the OIDCResponseType for mod_auth_openidc uses limit the responses type. It must be one of the following: code|id_token|id_token token|code id_token|code token|code id_token token Empty string will remove that option completely.

  • oidc-session-type | string

    Default: server-cache

    Set where OpenID Connect session cookies are stored. BY default cookies are stored on the web server. Can be one of 'server-cache', 'server-cache:persistent', 'client-cookie', 'client-cookie:persistent', 'client-cookie:store_id_token', or 'client-cookie:persistent:store_id_token'. When using multiple units of Keystone behind a proxy, use 'client-cookie:persistent' if you are not using shared session storage for Keystone.

  • oidc-state-input-headers | string

    Default: user-agent

    Define the headers mod_auth_openidc uses to calculate the browser fingerprint during authentication. Set to "none" if using multiple units of Keystone behind a load balancer or proxy.

  • oidc-x-forwarded-headers | string

    X-Forwarded-* headers from reverse proxies that mod_auth_openidc should look for. Must be one or more of "X-Forwarded-Host", "X-Forwarded-Port", "X-Forwarded-Proto", "Forwarded", or "none". mod_auth_openidc ignores this setting if it is "none" or undefined. Use this setting when using a proxy that changes the protocol, host, or port when handling the authentication workflow.

  • protocol_id | string

    Default: openid

    Federation protocol name.

  • remote-id-attribute | string

    Default: HTTP_OIDC_ISS

    Attribute used to obtain the entity ID of the OpenID Connect Provider.

  • user-facing-name | string

    Default: OpenID Connect via mapped

    A user-facing name to be used for the identity provider and protocol combination. Used in the OpenStack dashboard.