OIDCClaimPrefix "{{ cifmw_federation_keystone_OIDC_ClaimPrefix }}"
OIDCResponseType "{{ cifmw_federation_keystone_OIDC_ResponseType }}"
OIDCScope "{{ cifmw_federation_keystone_OIDC_Scope }}"
OIDCClaimDelimiter "{{ cifmw_federation_keystone_OIDC_ClaimDelimiter }}"
OIDCPassUserInfoAs "{{ cifmw_federation_keystone_OIDC_PassUserInfoAs }}"
OIDCPassClaimsAs "{{ cifmw_federation_keystone_OIDC_PassClaimsAs }}"
OIDCCryptoPassphrase "{{ cifmw_federation_keystone_OIDC_CryptoPassphrase }}"
OIDCMetadataDir "/var/lib/httpd/metadata"
OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/redirect_uri"
OIDCAuthRequestParams "prompt=login"
LogLevel rewrite:trace3 auth_openidc:debug

<IfModule headers_module>
  <Location "/v3/local-logout/clear">
    Header always add Set-Cookie "mod_auth_openidc_session=deleted; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=None"
  </Location>
</IfModule>

RewriteEngine On

RewriteRule ^/v3/auth/OS-FEDERATION/identity_providers/({{ cifmw_federation_IdpName }}|{{ cifmw_federation_IdpName2 }})/protocols/openid/websso$ \
  /v3/local-logout/clear [R=302,L]

RewriteRule ^/v3/local-logout/clear$ \
  /v3/auth/OS-FEDERATION/websso/openid [R=302,L,QSA,NE]

<Location "/v3/auth/OS-FEDERATION/websso/openid">
  AuthType openid-connect
  Require  valid-user
</Location>

<Location "/v3/redirect_uri">
  AuthType openid-connect
  Require  valid-user
</Location>