From 3df75c98bbb7b0d8862fc3192c28d762be88ce10 Mon Sep 17 00:00:00 2001
From: Michal Konecny <mkonecny@redhat.com>
Date: Wed, 1 Oct 2025 10:02:12 +0200
Subject: [PATCH] [haproxy] Redirect openid based on payload

When checking if the server has openid capabilities we are checking for
openid_identifier, let's redirect that to openid backend as well.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
---
 roles/haproxy/templates/haproxy.cfg | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 86ec3375de..f83c2a4a08 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -172,12 +172,15 @@ frontend ipsilon-frontend
     bind 0.0.0.0:10020
 
 {% if env == "staging" %}
+    option http-buffer-request
     # Define ipsilon OpenID only instance
     acl path_openidc path_beg /openidc
     acl path_openid path_beg /openid
+    acl is_openid_payload req.body_payload(0,0) -m sub 'openid_identifier'
 
     use_backend ipsilon-backend if path_openidc
     use_backend ipsilon-backend-openid if path_openid
+    use_backend ipsilon-backend-openid if is_openid_payload
 {% endif %}
 
     default_backend ipsilon-backend