Feature Request Overview

When configuring federation in OpenStack using a provider such as Azure's EntraID, the mod_oidc module in Apache in the keystone container requires outgoing connection to Azure to validate the token provided by the user.

There's currently no way to setup a proxy for this purpose, which means the user needs to allow direct connections from the controllers to the public services in Azure.

Business justification

The OpenStack administrator could enable outgoing connections to specific URLs through a secure, company-wide proxy server, without affecting other services and without allowing connections to undesired target URLs.

Functional requirements

• mod_oidc in the Apache webserver of the keystone container can connect to public services using a proxy
• tokens are validated without a direct, routable connection to internet

Describe the customer impact

Customer wants to use Federation services, but is blocked from a security standpoint as they are not allowed to have routable connections to internet from  internal RHOSP services.

Additional links

Related to / Should be part of RHOSSTRAT-964