feat(keystone): add OAuth 2.0 authentication options

cardoe · cardoe · commit 150dda5865fb · 2025-12-10T13:31:25.000-06:00
The device authorization and the client credentials flows are OAuth 2.0
flows instead of OIDC so we need to be able to validate the token
submitted against the endpoint so we need to also read the metadata for
the OAuth 2.0 paths of mod_auth_openidc. Add another authentication
endpoint into apache for Keystone so that we can route the
authentication request to the correct connector inside of Dex to
successfully complete the authentication.
diff --git a/ansible/roles/keystone_bootstrap/tasks/sso.yml b/ansible/roles/keystone_bootstrap/tasks/sso.yml
@@ -64,6 +64,12 @@
     idp: sso
     mapping: sso_mapping
 
+- name: Create mapped protocol
+  openstack.cloud.keystone_federation_protocol:
+    name: mapped
+    idp: sso
+    mapping: sso_mapping
+
 - name: Create federated group mappings
   ansible.builtin.include_tasks: sso_groups.yml
   loop: "{{ keystone_bootstrap_groups }}"
diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml
@@ -223,7 +223,9 @@ conf:
         OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto X-Forwarded-Port
 
         # OIDC provider's .well-known/configuration URL
-        OIDCProviderMetadataURL {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+        OIDCProviderMetadataURL {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}/.well-known/openid-configuration
+        # this is so that in the OAuth 2.0 flows we can validate the JWT token
+        OIDCOAuthVerifyJwksUri {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}/keys
         # Client / Application Identifier and Secret
         OIDCClientID keystone
         OIDCClientSecret "exec:/bin/cat /etc/keystone-sso/client-secret"
@@ -237,6 +239,7 @@ conf:
 
         # set the REMOTE_USER to the value of preferred_username
         OIDCRemoteUserClaim preferred_username
+        OIDCOAuthRemoteUserClaim preferred_username
         # scopes that we want to request
         OIDCScope "openid email profile groups"
 
@@ -271,6 +274,13 @@ conf:
           Require valid-user
           AuthType openid-connect
         </Location>
+        # add OAuth 2.0 support for the identity provider 'sso' using the 'mapped' protocol
+        <Location /v3/OS-FEDERATION/identity_providers/sso/protocols/mapped/auth>
+          Require valid-user
+          AuthType oauth20
+          # TODO: variablize this better
+          OIDCPathAuthRequestParams connector_id=machine
+        </Location>
     </VirtualHost>
 
 
@@ -317,7 +327,7 @@ endpoints:
       dex:
         # override this when full deployment
         default: 5556
-    path: '/.well-known/openid-configuration'
+    path: ''
 
 manifests:
   job_credential_cleanup: false
