[openstack-dev] [keystone] integrating keystone with oauth2 (keycloak)

Adam Young ayoung at redhat.com
Thu May 26 15:36:07 UTC 2016

On 05/26/2016 11:20 AM, Shtilman, Tomer (Nokia - IL) wrote:
> Hi
> Does keystone has any plugin/extension for oauth2 authentication 
> (keycloak in our case)
> We would like to integrate keystone with an external oauth2 system in 
> this way:
> 1/ Credentials / being sent to keystone
> 2/ Keystone will interact with external oauth2 server to  validate and 
> fetch user details,tenant(project),roles etc.. (no endpoints) and will 
> generate a token
Keycloak supports SAML2, which I've confirmed works using 
mod_auth_mellon and Federation on the Keystone side. We are working on 
confirming ECP.  I think ECP is the only viable Federation CLI approach 
for Keycloak right now, but we might be pleasantly surprised.

> 3/ Token will be used from this point , token will need to be 
> validated with oauth2 through keystone until expiry
> Any thought/insights will be highly appreciated
> Thanks
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160526/ee1c9f48/attachment.html>

More information about the OpenStack-dev mailing list