Add oidc config parameters

manifests/init.pp

@@ -211,6 +211,28 @@
 #
 # $keycloak_realm::               The realm as passed to keycloak-httpd-client-install
 #
+# === OIDC parameters:
+#
+# $authorize_login_delegation::   Authorize login delegation with REMOTE_USER HTTP header (true/false)
+#
+# $authorize_login_delegation_auth_source_user_autocreate::   Name of the external auth source where unknown externally authentication
+#                                                             users (see authorize_login_delegation) should be created. Empty means no autocreation.
+#
+# $login_delegation_logout_url::  Redirect your users to this url on logout (authorize_login_delegation should also be enabled)
+#
+# $oidc_jwks_url::                OpenID Connect JSON Web Key Set(JWKS) URL.
+#                                 Typically https://keycloak.example.com/auth/realms/<realm name>/protocol/openid-connect/certs when using
+#                                 Keycloak as an OpenID provider
+#
+# $oidc_audience::                Name of the OpenID Connect Audience that is being used for Authentication. In case of Keycloak this is the Client ID.
+#                                 ['oidc_app_name']
+#
+# $oidc_issuer::                  The iss (issuer) claim identifies the principal that issued the JWT, which exists at a
+#                                 `/.well-known/openid-configuration` in case of most of the OpenID providers.
+#
+# $oidc_algorithm::               The algorithm used to encode the JWT in the OpenID provider.
+#
+#
 class foreman (
   Stdlib::HTTPUrl $foreman_url = $foreman::params::foreman_url,
   Boolean $unattended = true,
@@ -307,6 +329,13 @@
   Boolean $register_in_foreman = true,
   Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef,
   Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef,
+  Boolean $authorize_login_delegation = false,
+  String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External',
+  Optional[String[1]] $login_delegation_logout_url = undef,
+  Optional[String[1]] $oidc_jwks_url = undef,
+  Array[String[1]] $oidc_audience = [],
+  Optional[String[1]] $oidc_issuer = undef,
+  String[1] $oidc_algorithm = 'RS256',
 ) inherits foreman::params {
   assert_type(Array[Stdlib::IP::Address], $trusted_proxies)
 

spec/classes/foreman_spec.rb

@@ -250,6 +250,13 @@
             keycloak_realm: 'myrealm',
             provisioning_ct_location: '/usr/bin/myct',
             provisioning_fcct_location: '/usr/bin/myfcct',
+            authorize_login_delegation: true,
+            authorize_login_delegation_auth_source_user_autocreate: 'External',
+            login_delegation_logout_url: 'https://foreman.top.com/users/extlogout',
+            oidc_jwks_url: 'https://keycloak.top.com/realms/myrealm/protocol/openid-connect/certs',
+            oidc_audience: ['cloack-app'],
+            oidc_issuer: 'https://keycloak.top.com/realms/myrealm',
+            oidc_algorithm: 'RS256',
           }
         end
 

templates/settings.yaml.erb

@@ -10,6 +10,17 @@
 :oauth_consumer_key: <%= scope.lookupvar("foreman::oauth_consumer_key") %>
 :oauth_consumer_secret: <%= scope.lookupvar("foreman::oauth_consumer_secret") %>
 
+<% if scope.lookupvar('foreman::authorize_login_delegation') -%>
+# The following values are used for oidc authentication
+:authorize_login_delegation: <%= scope.lookupvar("foreman::authorize_login_delegation") %>
+:authorize_login_delegation_auth_source_user_autocreate: <%= scope.lookupvar("foreman::authorize_login_delegation_auth_source_user_autocreate") %>
+:login_delegation_logout_url: <%= scope.lookupvar("foreman::login_delegation_logout_url") %>
+:oidc_jwks_url: <%= scope.lookupvar("foreman::oidc_jwks_url") %>
+:oidc_audience: <%= scope.lookupvar("foreman::oidc_audience") %>
+:oidc_issuer: <%= scope.lookupvar("foreman::oidc_issuer") %>
+:oidc_algorithm: <%= scope.lookupvar("foreman::oidc_algorithm") %>
+
+<% end -%>
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
 :websockets_ssl_key: <%= @websockets_ssl_key %>