keystone oidc #2

Supports: xenial bionic focal

Description

The main goal of this charm is to generate the necessary configuration for use in the Keystone charm related to OIDC config generation and signaling Keystone service restart. Keystone has a concept of a federated backend which supports OIDC as well as an authentication plug-in called "mapped" which does the rest of the work of resolving symbolic attributes


Overview

Describe the intended usage of this charm and anything unique about how this charm relates to others here.

This README will be displayed in the Charm Store, it should be either Markdown or RST. Ideal READMEs include instructions on how to use the charm, expected usage, and charm features that your audience might be interested in. For an example of a well written README check out Hadoop: http://jujucharms.com/charms/precise/hadoop

Use this as a Markdown reference if you need help with the formatting of this README: http://askubuntu.com/editing-help

This charm provides service. Add a description here of what the service itself actually does.

Also remember to check the icon guidelines so that your charm looks good in the Juju GUI.

Usage

Step by step instructions on using the charm:

juju deploy servicename

and so on. If you're providing a web service or something that the end user needs to go to, tell them here, especially if you're deploying a service that might listen to a non-default port.

You can then browse to http://ip-address to configure the service.

Scale out Usage

If the charm has any recommendations for running at scale, outline them in examples here. For example if you have a memcached relation that improves performance, mention it here.

Known Limitations and Issues

This not only helps users but gives people a place to start if they want to help you add features to your charm.

Configuration

The configuration options will be listed on the charm store, however If you're making assumptions or opinionated decisions in the charm (like setting a default administrator password), you should detail that here so the user knows how to change it immediately, etc.

Contact Information

Though this will be listed in the charm store itself don't assume a user will know that, so include that information here:

Upstream Project Name

  • Upstream website
  • Upstream bug tracker
  • Upstream mailing list or contact information
  • Feel free to add things if it's useful for users

Configuration

debug
(boolean) Enable debug logging
idp-name
(string) Identity provider name to use for URL generation. Must match the one that will be configured via OS-FEDERATION API.
google
keystone-remote-id-attribute
(string) Identity provider remote ID. See https://docs.openstack.org/keystone/ocata/federation/federated_identity.html
HTTP_OIDC_ISS
oidc-claim-prefix
(string) OIDCClaimPrefix is a prefix that will be added to each OIDC claim.
OIDC-
oidc-client-id
(string) OIDCClientID is the client ID issued by the OIDC Provider during the client registration phase.
oidc-client-secret
(string) OIDCClientSecret is a secret issued to the client by the OIDC Provider during the client registration phase.
oidc-crypto-passphrase
(string) OIDCCryptoPassphrase is a passphrase used to encrypt claims.
cryptopassphrase
oidc-provider-metadata-url
(string) OIDCProviderMetadataURL is the URL from which the module will obtain all the OIDC Provider configuration details in json format (endpoints, supported flows, etc.). For example https://accounts.google.com/.well-known/openid-configuration
https://accounts.google.com/.well-known/openid-configuration
oidc-redirect-uri
(string) OIDCRedirectURI is a protected (by the module itself) URI that act as callback for the authentication response, e.g. https://FQDN:5000/v3/auth/OS-FEDERATION/websso/openid/redirect
oidc-response-type
(string) OIDCResponseType defines the OpenID Connect authentication flow used.
id_token
oidc-scope
(string) OIDCScope defines the claims that will be returned by the OIDC Provider.
openid email profile
protocol-name
(string) Protocol name to use for URL and generation. Must match the one that will be configured via OS-FEDERATION API.
openid
ssl_ca
(string) TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_cert
(string) TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_key
(string) TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.
user-facing-name
(string) A user-facing name to be used in the OpenStack dashboard.
Google
verbose
(boolean) Enable verbose logging