Regression: Federated OIDC login broken in R4/zed keystone container

Created by: reqa

With the keystone container from R4/zed the federated OpenID-Connect login does not work any longer. The containers are now based on Ubuntu 22.04, which contain and updated version of libapache2-mod-auth-openidc (2.4.11-1).

Debugging showed this error message:

2023-04-20 14:59:06.988284 oidc_authenticate_user: the URL scheme (https) of the configured OIDCRedirectURI does not match the URL scheme of the URL being accessed (http): the "state" and "session" cookies will not be shared between the two!

This looks like https://github.com/OpenIDC/mod_auth_openidc/issues/172

and @JuanPTM verified that adding the following option to wsgi-keystone.conf makes it work again:

OIDCXForwardedHeaders X-Forwarded-Proto

For reference: This seems to be the breaking upstream change.

Definition of Done:

• The wsgi-keystone.conf template for the testbed is adjusted
• Changes have been reviewed