OpenStack Keystone的OpenID连接实现。
keystone-oidc-auth-plugin的Python项目详细描述
用于Keystone身份验证的OpenID连接插件
此存储库包含OpenStack的OpenID连接实现 身份服务(Keystone)。在
安装
通过pip
安装:
pip install keystone_oidc_auth_plugin
配置
为了配置它,您必须在中的身份验证方法上启用它
keystone.conf
,然后指定使用ifca
插件,例如:
然后,可以配置全局OpenID Connect特定选项,如下所示:
[openid]
# The prefix to use when setting claims in the HTTP headers/environment
# variables. (string value)
#claim_prefix = OIDC_
# Value to be used to obtain the entity ID of the Identity Provider from the
# environment. Defaults to OIDC_iss. (string value)
#remote_id_attribute = OIDC_iss
# Default duration in seconds after which retrieved JWS should be refreshed.
# (integer value)
#jws_refresh_interval = 3600
最后,您需要为每个身份提供者(IdP)添加一个部分
你想支持的。为此,插件会查找IdP条目
前缀为openid_
。您为每一项使用的IdP名称
条目必须与Keystone中配置的标识提供程序名称匹配,
因此,如果您定义了一个名为idp-name
的IdP,则必须将一个条目添加为
以下内容:
[openid_idp-name]
# OpenID connect issuer URL. We will use this to build all the required options
# asking the discovery url (i.e. querying the $issuer/.well-known/openid-
# configuration endpoint. This has to correspond to the 'remote-id' parameter
# that is set in the federated identity provider configuration that is
# configured in Keystone. (string value)
#issuer = <None>
# Client identifier used in calls to the OpenID Connect Provider (string value)
#client_id = <None>
# OpenID connect issuer URL. We will use this to build all the in Keystone.
# (string value)
#authorization_endpoint = <None>
# Client identifier only known by the application and Identity provider client
# (string value)
#client_secret = <None>
# Supported OpenID scopes in the Identity provider (string value)
#scope = <None>
# OpenID connect URL to get identity and access tokens (string value)
#token_endpoint = <None>
# Allowed HTTP method for userinfo request. Optional.
#userinfo_method = POST
- 项目
标签: