rackerlabs · cardoe · Sep 2, 2025 · Dec 11, 2025 · skrobul · Dec 11, 2025
diff --git a/ansible/roles/keystone_bootstrap/tasks/sso.yml b/ansible/roles/keystone_bootstrap/tasks/sso.yml
@@ -64,6 +64,12 @@
     idp: sso
     mapping: sso_mapping
 
+- name: Create mapped protocol
+  openstack.cloud.keystone_federation_protocol:
+    name: mapped
+    idp: sso
+    mapping: sso_mapping
+
 - name: Create federated group mappings
   ansible.builtin.include_tasks: sso_groups.yml
   loop: "{{ keystone_bootstrap_groups }}"

diff --git a/components/dex/values.yaml b/components/dex/values.yaml
@@ -108,6 +108,30 @@ envVars:
         name: oidc-sso
         key: redirect-uri
         optional: true
+  - name: CONNECTOR_SSO_ISSUER
+    valueFrom:
+      secretKeyRef:
+        name: connector-sso
+        key: issuer
+        optional: true
+  - name: CONNECTOR_SSO_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: connector-sso
+        key: client-id
+        optional: true
+  - name: CONNECTOR_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: connector-sso
+        key: client-secret
+        optional: true
+  - name: CONNECTOR_SSO_REDIRECT_URI
+    valueFrom:
+      secretKeyRef:
+        name: connector-sso
+        key: redirect-uri
+        optional: true
   - name: GRAFANA_SSO_CLIENT_SECRET
     valueFrom:
       secretKeyRef:

diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml
@@ -223,7 +223,9 @@ conf:
         OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto X-Forwarded-Port
 
         # OIDC provider's .well-known/configuration URL
-        OIDCProviderMetadataURL {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+        OIDCProviderMetadataURL {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}/.well-known/openid-configuration
+        # this is so that in the OAuth 2.0 flows we can validate the JWT token
+        OIDCOAuthVerifyJwksUri {{ tuple "dex" "internal" "dex" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}/keys
         # Client / Application Identifier and Secret
         OIDCClientID keystone
         OIDCClientSecret "exec:/bin/cat /etc/keystone-sso/client-secret"
@@ -237,6 +239,7 @@ conf:
 
         # set the REMOTE_USER to the value of preferred_username
         OIDCRemoteUserClaim preferred_username
+        OIDCOAuthRemoteUserClaim preferred_username
         # scopes that we want to request
         OIDCScope "openid email profile groups"
 
@@ -271,6 +274,13 @@ conf:
           Require valid-user
           AuthType openid-connect
         </Location>
+        # add OAuth 2.0 support for the identity provider 'sso' using the 'mapped' protocol
+        <Location /v3/OS-FEDERATION/identity_providers/sso/protocols/mapped/auth>
+          Require valid-user
+          AuthType oauth20
+          # TODO: variablize this better
+          OIDCPathAuthRequestParams connector_id=machine
+        </Location>
     </VirtualHost>
 
 
@@ -317,7 +327,7 @@ endpoints:
       dex:
         # override this when full deployment
         default: 5556
-    path: '/.well-known/openid-configuration'
+    path: ''
 
 manifests:
   job_credential_cleanup: false