<div dir="ltr"><div>Hello Colleen, <br></div><div>Have you tested the OpenStack CLI with v3oidcpassword or v3oidcauthcode and multiple IdPs configured in Keystone?</div><div><br></div><div>We are currently debugging and discussing on how to enable this support in the CLI. So far, we were not able to make it work with the current code. This also happens with Horizon. If one has multiple IdPs in Keystone, the "discovery" process would happen twice, one in Horizon and another in Keystone, which is executed by the OIDC plugin in the HTTPD. We already fixed the Horizon issue, but the CLI we are still investigating, and we suspect that is probably the same problem.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 23, 2019 at 1:56 PM Colleen Murphy <<a href="mailto:colleen@gazlene.net">colleen@gazlene.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Jason,<br>
<br>
On Mon, Oct 21, 2019, at 14:35, Jason Anderson wrote:<br>
> Hi all,<br>
> <br>
> I'm in the process of prototyping a federated Keystone using OpenID <br>
> Connect, which will place ephemeral users in a group that has roles in <br>
> existing projects. I was testing how it felt from the user's <br>
> perspective and am confused how I'm supposed to be able to use the <br>
> openstacksdk with federation. For one thing, the RC files I can <br>
> download from the "API Access" section of Horizon don't seem like they <br>
> work; the domain is hard-coded to "Federated", <br>
<br>
This should be fixed in the latest version of keystone...<br>
<br>
> and it also uses a <br>
> username/password authentication method.<br>
<br>
...but this is not, horizon only knows about the 'password' authentication method and can't provide RC files for other types of auth methods (unless you create an application credential).<br>
<br>
> <br>
> I can see that there is a way to use KSA to use an existing OIDC <br>
> token, which I think is probably the most "user-friendly" way, but the <br>
> user still has to obtain this token themselves out-of-band, which is <br>
> not trivial. Has anybody else set this up for users who liked to use <br>
> the CLI?<br>
<br>
All of KSA's auth types are supported by the openstack CLI. Which one you use depends on your OpenID Connect provider. If your provider supports it, you can use the "v3oidcpassword" auth method with the openstack CLI, following this example:<br>
<br>
<a href="https://support.massopen.cloud/kb/faq.php?id=16" rel="noreferrer" target="_blank">https://support.massopen.cloud/kb/faq.php?id=16</a><br>
<br>
On the other hand if you are using something like Google which only supports the authorization_code grant type, then you would have to get the authorization code out of band and then use the "v3oidcauthcode" auth type, and personally I've never gotten that to work with Google.<br>
<br>
> Is the solution to educate users about creating application <br>
> credentials instead?<br>
<br>
This is the best option. It's much easier to manage and horizon provides openrc and clouds.yaml files for app creds.<br>
<br>
Hope this helps,<br>
<br>
Colleen<br>
<br>
> <br>
> Thank you in advance,<br>
> <br>
> -- <br>
> Jason Anderson<br>
> <br>
> Chameleon DevOps Lead<br>
> *Consortium for Advanced Science and Engineering, The University of Chicago*<br>
> *Mathematics & Computer Science Division, Argonne National Laboratory*<br>
<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Rafael Weingärtner</div></div>