OIDC/OAuth2 token introspection in Keystone

Nikolla, Kristi knikolla at bu.edu
Wed Jan 8 15:43:31 UTC 2020


There is an patch to improve the documentation for using the CLI with OIDC, but it hasn't merged yet. See here https://review.opendev.org/#/c/693838

Keystoneauth has plugins in place for authenticating with the OIDC IdP in multiple ways, including using an access token, see here https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py

Best,
Kristi

On Jan 8, 2020, at 10:31 AM, mcarpene <m.carpen at cineca.it<mailto:m.carpen at cineca.it>> wrote:


Many thanks Nikolla,

I was able to federate using OIDC IdP via the dashboard. I meant the problem is authenticating via CLI providing a OIDC token via command line, but maybe you already answered to my request.


BR,

Michele


On 08/01/20 16:28, wrote:
Hi Michele,

We just approved a feature request for that [0], however it was merged to backlog, meaning no specific timeline for it being implemented yet.

With the current implementation, you can use OAuth 2.0 Access Tokens with Keystone, however the token introspection endpoint will be used, therefore only the claims contained in the access token will be returned. I am assuming your question is with regards to the userinfo endpoint and OIDC claims, which we do not currently support.

[0]. https://review.opendev.org/#/c/373983/

On Jan 8, 2020, at 8:01 AM, mcarpene <m.carpen at cineca.it<mailto:m.carpen at cineca.it>> wrote:


Hi all, my question is:

could OS Keystone support OIDC/OAuth2 token introspection/validation. I mean for example executing a swift command via CLI adding a OIDC token bearer as a parameter to the swift command. In this case Keystone should validate the OIDC token towards and external IdP (using introspection endpoint/protocol for oidc).

Is this currently supported, or eventually would be done in the near future?

thanks Michele

--
Michele Carpené
SuperComputing Applications and Innovation Department
CINECA - via Magnanelli, 6/3, 40033 Casalecchio di Reno (Bologna) - ITALY
Tel: +39 051 6171730 Fax: +39 051 6132198
Skype: mcarpene
http://www.hpc.cineca.it/


--
Michele Carpené
SuperComputing Applications and Innovation Department
CINECA - via Magnanelli, 6/3, 40033 Casalecchio di Reno (Bologna) - ITALY
Tel: +39 051 6171730 Fax: +39 051 6132198
Skype: mcarpene
http://www.hpc.cineca.it/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200108/748354e4/attachment-0001.html>


More information about the openstack-discuss mailing list