1 files changed, 52 insertions, 0 deletions

diff --git a/keystone/conf/oauth2.py b/keystone/conf/oauth2.py
new file mode 100644
index 000000000..dbe26cf59
--- /dev/null
+++ b/keystone/conf/oauth2.py
@@ -0,0 +1,52 @@
+# Copyright 2022 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_config import cfg
+
+from keystone.conf import utils
+
+oauth2_authn_methods = cfg.ListOpt(
+    'oauth2_authn_methods',
+    default=['tls_client_auth', 'client_secret_basic'],
+    help=utils.fmt("""
+The OAuth2.0 authentication method supported by the system when user obtains
+an access token through the OAuth2.0 token endpoint. This option can be set to
+certificate or secret. If the option is not set, the default value is
+certificate. When the option is set to secret, the OAuth2.0 token endpoint
+uses client_secret_basic method for authentication, otherwise tls_client_auth
+method is used for authentication.
+"""))
+
+oauth2_cert_dn_mapping_id = cfg.StrOpt(
+    'oauth2_cert_dn_mapping_id',
+    default='oauth2_mapping',
+    help=utils.fmt("""
+Used to define the mapping rule id. When not set, the mapping rule id is
+oauth2_mapping.
+"""))
+
+
+GROUP_NAME = __name__.split('.')[-1]
+ALL_OPTS = [
+    oauth2_authn_methods,
+    oauth2_cert_dn_mapping_id
+]
+
+
+def register_opts(conf):
+    conf.register_opts(ALL_OPTS, group=GROUP_NAME)
+
+
+def list_opts():
+    return {GROUP_NAME: ALL_OPTS}