diff --git a/README.md b/README.md
index 5db5ffff6..0ffef925f 100644
--- a/README.md
+++ b/README.md
@@ -568,6 +568,7 @@ The config map includes the following:
| external | IPA, IPA 2-factor authentication, IPA/AD Trust, Ldap (OpenLdap, RHDS, Active Directory, etc.)
| active-directory | Active Directory domain realm join
| saml | SAML based authentication (Keycloak, ADFS, etc.)
+ | oidc | OpenID-Connect based authentication (Keycloak, ADFS, etc.)
* The kerberos realms to join `auth-kerberos-realms`, default is `undefined`
@@ -611,7 +612,7 @@ Binary files can be specified in the configuration map in their base64 encoded f
When an /etc/sssd/sssd.conf file is included in the configuration map, the httpd pod automatically enables the sssd service upon startup.
-### Sample external authentication configuration:
+### Sample 1 external authentication configuration for SAML:
Excluding the content of the files, a SAML auth-config map data section may look like:
@@ -654,6 +655,25 @@ data:
```
+### Sample 2 external authentication configuration for OpenID-Connect:
+
+A OpenID-COnnect auth-config map data section may look like:
+
+```bash
+data:
+ auth-type: openid-connect
+ auth-kerberos-realms:
+ auth-oidc-provider-metadata-url: http://my-keycloak-server:8080/auth/realms/miq/.well-known/openid-configuration
+ auth-oidc-client-id: my-openidc-client
+ auth-oidc-client-secret: a6760a49-b6a9-c439-d979-e87f3aa17019
+ auth-configuration.conf: |
+ # External Authentication Configuration File
+ #
+kind: ConfigMap
+metadata:
+ name: httpd-auth-configs
+```
+
The authentication configuration map can be defined and customized in the httpd pod as follows:
```bash
diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml
index 5181e219a..75e604a2d 100644
--- a/templates/miq-template-ext-db.yaml
+++ b/templates/miq-template-ext-db.yaml
@@ -356,6 +356,10 @@ objects:
# For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
RewriteCond %{REQUEST_URI} !^/saml2
+
+ # For OpenID-Connect /openid-connect is only served by mod_auth_openidc
+ RewriteCond %{REQUEST_URI} !^/openid-connect
+
RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
@@ -448,6 +452,24 @@ objects:
Include "conf.d/external-auth-remote-user-conf"
+ configuration-openid-connect-auth: |
+ LoadModule auth_openidc_module modules/mod_auth_openidc.so
+
+ OIDCProviderMetadataURL ${HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL}
+ OIDCClientID ${HTTPD_AUTH_OIDC_CLIENT_ID}
+ OIDCClientSecret ${HTTPD_AUTH_OIDC_CLIENT_SECRET}
+
+ OIDCRedirectURI "https://${APPLICATION_DOMAIN}/oidc_login/redirect_uri"
+ OIDCOAuthRemoteUserClaim username
+
+ OIDCCryptoPassphrase sp-secret
+
+
+ AuthType openid-connect
+ Require valid-user
+
+
+ Include "conf.d/external-auth-openid-connect-remote-user-conf"
external-auth-load-modules-conf: |
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
@@ -501,6 +523,17 @@ objects:
RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+ external-auth-openid-connect-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
@@ -508,6 +541,9 @@ objects:
data:
auth-type: internal
auth-kerberos-realms: undefined
+ auth-oidc-provider-metadata-url: undefined
+ auth-oidc-client-id: undefined
+ auth-oidc-client-secret: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -599,6 +635,8 @@ objects:
limits:
memory: "${HTTPD_MEM_LIMIT}"
env:
+ - name: APPLICATION_DOMAIN
+ value: "${APPLICATION_DOMAIN}"
- name: HTTPD_AUTH_TYPE
valueFrom:
configMapKeyRef:
@@ -609,6 +647,24 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-kerberos-realms
+ - name: HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-provider-metadata-url
+ optional: true
+ - name: HTTPD_AUTH_OIDC_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-client-id
+ optional: true
+ - name: HTTPD_AUTH_OIDC_CLIENT_SECRET
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-client-secret
+ optional: true
lifecycle:
postStart:
exec:
diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml
index d103be88d..d67ad41f8 100644
--- a/templates/miq-template.yaml
+++ b/templates/miq-template.yaml
@@ -154,6 +154,10 @@ objects:
# For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
RewriteCond %{REQUEST_URI} !^/saml2
+
+ # For OpenID-Connect /openid-connect is only served by mod_auth_openidc
+ RewriteCond %{REQUEST_URI} !^/openid-connect
+
RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
@@ -246,6 +250,24 @@ objects:
Include "conf.d/external-auth-remote-user-conf"
+ configuration-openid-connect-auth: |
+ LoadModule auth_openidc_module modules/mod_auth_openidc.so
+
+ OIDCProviderMetadataURL ${HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL}
+ OIDCClientID ${HTTPD_AUTH_OIDC_CLIENT_ID}
+ OIDCClientSecret ${HTTPD_AUTH_OIDC_CLIENT_SECRET}
+
+ OIDCRedirectURI "https://${APPLICATION_DOMAIN}/oidc_login/redirect_uri"
+ OIDCOAuthRemoteUserClaim username
+
+ OIDCCryptoPassphrase sp-secret
+
+
+ AuthType openid-connect
+ Require valid-user
+
+
+ Include "conf.d/external-auth-openid-connect-remote-user-conf"
external-auth-load-modules-conf: |
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
@@ -299,6 +321,17 @@ objects:
RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
+ external-auth-openid-connect-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{OIDC_CLAIM_PREFERRED_USERNAME}e env=OIDC_CLAIM_PREFERRED_USERNAME
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{OIDC_CLAIM_EMAIL}e env=OIDC_CLAIM_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_GIVEN_NAME}e env=OIDC_CLAIM_GIVEN_NAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{OIDC_CLAIM_FAMILY_NAME}e env=OIDC_CLAIM_FAMILY_NAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{OIDC_CLAIM_NAME}e env=OIDC_CLAIM_NAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{OIDC_CLAIM_GROUPS}e env=OIDC_CLAIM_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{OIDC_CLAIM_DOMAIN}e env=OIDC_CLAIM_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
@@ -306,6 +339,9 @@ objects:
data:
auth-type: internal
auth-kerberos-realms: undefined
+ auth-oidc-provider-metadata-url: undefined
+ auth-oidc-client-id: undefined
+ auth-oidc-client-secret: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -744,6 +780,8 @@ objects:
limits:
memory: "${HTTPD_MEM_LIMIT}"
env:
+ - name: APPLICATION_DOMAIN
+ value: "${APPLICATION_DOMAIN}"
- name: HTTPD_AUTH_TYPE
valueFrom:
configMapKeyRef:
@@ -754,6 +792,24 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-kerberos-realms
+ - name: HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-provider-metadata-url
+ optional: true
+ - name: HTTPD_AUTH_OIDC_CLIENT_ID
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-client-id
+ optional: true
+ - name: HTTPD_AUTH_OIDC_CLIENT_SECRET
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-oidc-client-secret
+ optional: true
lifecycle:
postStart:
exec: