Add OIDCDiscoverURL mod_oidc option

This gets rid of one of the steps in the authentication flow. Closes-Bug: 1930055 Change-Id: I4ed4651b55a912f1d9aec7277bae6bb4776f1e0a (cherry picked from commit 510508e9fa416801af58c1aedcf24e0bf8e88194)
stackhpc · Feb 1, 2022 · 67ccb7e · 67ccb7e
1 parent 6c304fe
commit 67ccb7e
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -78,6 +78,7 @@ LogLevel info
 {% for idp in keystone_identity_providers %}
 {% if idp.protocol == 'openid' %}
     <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
+      OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ item.identifier | urlencode }}
       Require valid-user
       AuthType openid-connect
     </LocationMatch>