<div dir="ltr"><div class="gmail_default" style="font-size:small">Sorry - lost some links :)</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Unified delegation spec: <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html</a></div><div class="gmail_default" style="font-size:small">About OAuth2: <a href="https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/">https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 10:58 AM, Alexander Makarov <span dir="ltr"><<a href="mailto:amakarov@mirantis.com" target="_blank">amakarov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Actually OAuth support is my next step in "unified delegations"
effort [0], so it's a good time to think about what version of it
should be supported.</p>
<p>Along with that I have some concerns about OAuth v2, as IIRC
authors themselves abandoned the spec. I'll check if something
changed since that time.<br>
</p><div><div class="h5">
<br>
<div>On 13.09.2016 00:43, Steve Martinelli
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><snip></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Would you please shed some light on how to
configure Keystone for OAuth1? Thank you very much.</div>
</div>
</blockquote>
<div><br>
</div>
<div>There is some documentation in the API but nothing
formally written out: <a href="http://developer.openstack.org/api-ref/identity/v3-ext/index.html" target="_blank">http://developer.<wbr>openstack.org/api-ref/<wbr>identity/v3-ext/index.html</a></div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>I am trying to develop OAuth 2 client for Keystone.
We will contribute our OAuth 2 client source code to
the community if we can use Google/Facebook to log in
to OpenStack through OAuth 2 client.</div>
<div><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Currently you can setup keystone to work with Google /
Facebook and other social logins. If you've setup keystone
to use Shibboleth (which you did, I snipped that part of
the message), then you can set it up to use these social
logins as well. See documentation here: <a href="http://docs.openstack.org/developer/keystone/federation/federated_identity.html#id4" target="_blank">http://docs.openstack.<wbr>org/developer/keystone/<wbr>federation/federated_identity.<wbr>html#id4</a></div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Best regards,</div>
<div><br>
</div>
<div>Winston Hong</div>
<div>Ottawa, Ontario</div>
<div>Canada</div>
<div><br>
</div>
<div><br>
</div>
<div>Steve Martinelli <s.martinelli [at] gmail>
Jun 27, 2016, 10:57 PM </div>
<div><br>
</div>
<div>> So, the os-oauth routes you mention in the
documentation do not make </div>
<div>> keystone a proper oauth provider. We simply
perform delegation (one user </div>
<div>> handing some level of permission on a project
to another entity) with the </div>
<div>> standard flow established in the oauth1.0b
specification. </div>
<div>> </div>
<div>> Historically we chose oauth1.0 because one of
the implementers was very </div>
<div>> much against a flow based on oauth2.0 (though
the names are similar, these </div>
<div>> can be treated as two very different beasts,
you can read about it here </div>
<div>> [1]). Even amongst popular service providers
the choice is split down the </div>
<div>> middle, some providing support for both [2] </div>
<div>> </div>
<div>> We haven't bothered to implement support for
oauth2.0 since there has been </div>
<div>> no feedback or desire from operators to do so.
Mostly, we don't want </div>
<div>> yet-another-delegation mechanism in keystone,
we have trusts and oauth1.0; </div>
<div>> should an enticing use case arise to include
another, then we can revisit </div>
<div>> the discussion. </div>
<div>> </div>
<div>> [1] <a href="https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/" target="_blank">https://hueniverse.com/2012/07<wbr>/26/oauth-2-0-and-the-road-to-<wbr>hell/</a> </div>
<div>> [2] <a href="https://en.wikipedia.org/wiki/List_of_OAuth_providers" target="_blank">https://en.wikipedia.org/wiki/<wbr>List_of_OAuth_providers</a></div>
</div>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________<wbr>______________________________<wbr>______________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senior Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div></div></div>
</div>