configure OpenID Connect auth on Beaker

inventory/group_vars/beaker

@@ -27,6 +27,10 @@ beaker_server_admin_user: "{{ prod_beaker_server_admin_user }}"
 beaker_server_admin_pass: "{{ prod_beaker_server_admin_pass }}"
 beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
 
+beaker_oidc_token_info_url: "https://id.fedoraproject.org/openidc/TokenInfo"
+beaker_oidc_client_id: "beaker-prod"
+beaker_oidc_client_secret: "{{ prod_beaker_oidc_client_secret }}"
+
 beaker_lab_controller_username: "host/beaker01.qa.fedoraproject.org"
 beaker_lab_controller_password: "{{ prod_beaker_lab_controller_password }}"
 

inventory/group_vars/beaker-stg

@@ -27,6 +27,10 @@ beaker_server_admin_user: "{{ stg_beaker_server_admin_user }}"
 beaker_server_admin_pass: "{{ stg_beaker_server_admin_pass }}"
 beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
 
+beaker_oidc_token_info_url: "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+beaker_oidc_client_id: "beaker-stg"
+beaker_oidc_client_secret: "{{ stg_beaker_oidc_client_secret }}"
+
 beaker_lab_controller_username: "host/beaker-stg01.qa.fedoraproject.org"
 beaker_lab_controller_password: "{{ stg_beaker_lab_controller_password }}"
 

roles/beaker/server/templates/etc/beaker/server.cfg.j2

@@ -67,6 +67,10 @@ mail.on = True
 # /etc/httpd/conf.d/beaker-server.conf.
 #identity.krb_auth_principal = "HTTP/hostname@EXAMPLE.COM"
 #identity.krb_auth_keytab = "/etc/krb5.keytab"
+# OpenID Connect authentication
+identity.oauth2_token_info_url = "{{ beaker_oidc_token_info_url }}"
+identity.oauth2_client_id = "{{ beaker_oidc_client_id }}"
+identity.oauth2_client_secret = "{{ beaker_oidc_client_secret }}"
 
 # These are used when generating absolute URLs (e.g. in e-mails sent by Beaker)
 # You should only have to set this if socket.gethostname() returns the wrong