[keystone] OAuth2.0 implementation in Yoga

Hiromu Asahina hiromu.asahina.az at hco.ntt.co.jp
Tue Dec 14 16:39:06 UTC 2021


Please, could any of the keystone core members give me some advice on this spec?

We'd like to make the following points clear by the end of this year to forward the implementation. So, please kindly check it and
please let me know your opinion.

- OAuth2.0 scope [1]:
   As there are differences between OAuth2.0 scope format and the Application credentials access rule format and we haven't found a
good solution to map them, we'd like to omit the implementation of the OAuth2.0 scope in Yoga. Is there any concerns?
- Access policy configuration:
  - Which one is appropriate? 
    (i) End-users can use the OAuth2.0 API if they have permission for the OAuth2.0 API even if they don't have permission for the
Application credentials API
    (ii) End-users can use the OAuth2.0 API only if they have permission for both the OAuth2.0 API and the Application credentials
- API endpoint:
  - Which one is appropriate?
    (i) `/identity/v3/auth/OS-OAUTH2/<user_id>/clients`
    (ii) `/identity/v3/users/{user_id}/OS-AUTH2/clients`
    (iii) other
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-23

Hiromu Asahina (h_asahina)

More information about the openstack-discuss mailing list