55.7. ipaidp Ansible 模块中的 provider 选项
以下身份提供程序 (IdP) 支持 OAuth 2.0 设备授权流:
- Microsoft Identity Platform,包括 Azure AD
- GitHub
- Keycloak,包括 Red Hat Single Sign-On (SSO)
- Okta
当使用 idp
ansible-freeipa
模块创建到这些外部 IdP 之一的引用时,您可以在 ipaidp
ansible-freeipa
playbook 任务中使用 provider
选项指定 IdP 类型,它扩展为其它选项,如下所述:
provider: microsoft
Microsoft Azure IdP 允许基于 Azure 租户 ID 的半虚拟化,您可以使用
organization
选项进行指定。如果您需要对 live.com IdP 的支持,请指定选项organization common
。选择
provider: microsoft
扩展,以使用以下选项。organization
选项的值替换表中的字符串${ipaidporg}
。选项 值 auth_uri: URI
https://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/authorize
dev_auth_uri: URI
https://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/devicecode
token_uri: URI
https://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/token
userinfo_uri: URI
https://graph.microsoft.com/oidc/userinfo
keys_uri: URI
https://login.microsoftonline.com/common/discovery/v2.0/keys
scope: STR
openid email
idp_user_id: STR
email
provider: google
选择
provider: google
扩展,以使用以下选项:选项 值 auth_uri: URI
https://accounts.google.com/o/oauth2/auth
dev_auth_uri: URI
https://oauth2.googleapis.com/device/code
token_uri: URI
https://oauth2.googleapis.com/token
userinfo_uri: URI
https://openidconnect.googleapis.com/v1/userinfo
keys_uri: URI
https://www.googleapis.com/oauth2/v3/certs
scope: STR
openid email
idp_user_id: STR
email
provider: github
选择
provider: github
扩展,以使用以下选项:选项 值 auth_uri: URI
https://github.com/login/oauth/authorize
dev_auth_uri: URI
https://github.com/login/device/code
token_uri: URI
https://github.com/login/oauth/access_token
userinfo_uri: URI
https://openidconnect.googleapis.com/v1/userinfo
keys_uri: URI
https://api.github.com/user
scope: STR
user
idp_user_id: STR
login
provider: keycloak
使用 Keycloak 时,您可以定义多个域或机构。由于它通常是自定义部署的一部分,因此基本 URL 和领域 ID 都是必需的,您可以在
ipaidp
playbook 任务中使用base_url
和organization
选项指定它们:--- - name: Playbook to manage IPA idp hosts: ipaserver become: false tasks: - name: Ensure keycloak idp my-keycloak-idp is present using provider ipaidp: ipaadmin_password: "{{ ipaadmin_password }}" name: my-keycloak-idp provider: keycloak organization: main base_url: keycloak.domain.com:8443/auth client_id: my-keycloak-client-id
选择
provider: keycloak
扩展,以使用以下选项。您在base_url
选项中指定的值替换表中的字符串${ipaidpbaseurl}
,您为organization 选项指定的值替换字符串 ${ipaidporg}
。选项 值 auth_uri: URI
https://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/auth
dev_auth_uri: URI
https://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/auth/device
token_uri: URI
https://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/token
userinfo_uri: URI
https://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/userinfo
scope: STR
openid email
idp_user_id: STR
email
provider: okta
在注册一个 Okta 中的新机构后,会关联一个新的基本 URL。您可以在
ipaidp
playbook 任务中使用base_url
选项指定这个基本 URL:--- - name: Playbook to manage IPA idp hosts: ipaserver become: false tasks: - name: Ensure okta idp my-okta-idp is present using provider ipaidp: ipaadmin_password: "{{ ipaadmin_password }}" name: my-okta-idp provider: okta base_url: dev-12345.okta.com client_id: my-okta-client-id
选择
provider: okta
扩展,以使用以下选项。您为base_url
选项指定的值替换表中的字符串${ipaidpbaseurl}
。选项 值 auth_uri: URI
https://${ipaidpbaseurl}/oauth2/v1/authorize
dev_auth_uri: URI
https://${ipaidpbaseurl}/oauth2/v1/device/authorize
token_uri: URI
https://${ipaidpbaseurl}/oauth2/v1/token
userinfo_uri: URI
https://${ipaidpbaseurl}/oauth2/v1/userinfo
scope: STR
openid email
idp_user_id: STR
email
其他资源