<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">

There is an patch to improve the documentation for using the CLI with OIDC, but it hasn't merged yet. See here <a href="https://review.opendev.org/#/c/693838" class="">https://review.opendev.org/#/c/693838</a>

<div class=""><br class="">

</div>

<div class="">Keystoneauth has plugins in place for authenticating with the OIDC IdP in multiple ways, including using an access token, see here <a href="https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py" class="">https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py</a></div>

<div class=""><br class="">

</div>

<div class="">Best,</div>

<div class="">Kristi<br class="">

<div><br class="">

<blockquote type="cite" class="">

<div class="">On Jan 8, 2020, at 10:31 AM, mcarpene <<a href="mailto:m.carpen@cineca.it" class="">m.carpen@cineca.it</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div class="">

<p class="">Many thanks Nikolla,</p>

<p class="">I was able to federate using OIDC IdP via the dashboard. I meant the problem is authenticating via CLI providing a OIDC token via command line, but maybe you already answered to my request.</p>

<p class=""><br class="">

</p>

<p class="">BR,</p>

<p class="">Michele<br class="">

</p>

<p class=""><br class="">

</p>

<div class="moz-cite-prefix">On 08/01/20 16:28, wrote:<br class="">

</div>

<blockquote type="cite" cite="mid:338A6D25-9DBF-492D-A94C-14E4A311FBE7@bu.edu" class="">

<div class="">Hi <span style="color: rgb(32, 31, 30); orphans: 2;

          widows: 2; background-color: rgb(255, 255, 255);" class="">Michele,</span></div>

<div class=""><br class="">

</div>

We just approved a feature request for that [0], however it was merged to backlog, meaning no specific timeline for it being implemented yet.

<div class=""><br class="">

</div>

<div class="">With the current implementation, you can use OAuth 2.0 Access Tokens with Keystone, however the token introspection endpoint will be used, therefore only the claims contained in the access token will be returned. I am assuming your question is

 with regards to the userinfo endpoint and OIDC claims, which we do not currently support.<br class="">

<div class="">

<div class=""><br class="">

</div>

<div class="">[0]. <a href="https://review.opendev.org/#/c/373983/" class="" moz-do-not-send="true">https://review.opendev.org/#/c/373983/</a><br class="">

<div class=""><br class="">

<blockquote type="cite" class="">

<div class="">On Jan 8, 2020, at 8:01 AM, mcarpene <<a href="mailto:m.carpen@cineca.it" class="" moz-do-not-send="true">m.carpen@cineca.it</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div class="">

<p style="-webkit-font-smoothing: antialiased;

                      margin: 1em 0px; color: rgb(32, 31, 30);

                      font-family: "Segoe UI", "Segoe UI

                      Web (West European)", "Segoe UI",

                      -apple-system, BlinkMacSystemFont, Roboto,

                      "Helvetica Neue", sans-serif; font-size:

                      15px; font-style: normal; font-variant-ligatures:

                      normal; font-variant-caps: normal; font-weight:

                      400; letter-spacing: normal; orphans: 2;

                      text-align: start; text-indent: 0px;

                      text-transform: none; white-space: normal; widows:

                      2; word-spacing: 0px; -webkit-text-stroke-width:

                      0px; background-color: rgb(255, 255, 255);

                      text-decoration-style: initial;

                      text-decoration-color: initial;" class="">

Hi all, my question is: <br class="">

</p>

<p style="-webkit-font-smoothing: antialiased;

                      margin: 1em 0px; color: rgb(32, 31, 30);

                      font-family: "Segoe UI", "Segoe UI

                      Web (West European)", "Segoe UI",

                      -apple-system, BlinkMacSystemFont, Roboto,

                      "Helvetica Neue", sans-serif; font-size:

                      15px; font-style: normal; font-variant-ligatures:

                      normal; font-variant-caps: normal; font-weight:

                      400; letter-spacing: normal; orphans: 2;

                      text-align: start; text-indent: 0px;

                      text-transform: none; white-space: normal; widows:

                      2; word-spacing: 0px; -webkit-text-stroke-width:

                      0px; background-color: rgb(255, 255, 255);

                      text-decoration-style: initial;

                      text-decoration-color: initial;" class="">

could OS Keystone support OIDC/OAuth2 token introspection/validation. I mean for example executing a swift command via CLI adding a OIDC token bearer as a parameter to the swift command. In this case Keystone should validate the OIDC token towards and external

 IdP (using introspection endpoint/protocol for oidc).</p>

<p style="-webkit-font-smoothing: antialiased;

                      margin: 1em 0px; color: rgb(32, 31, 30);

                      font-family: "Segoe UI", "Segoe UI

                      Web (West European)", "Segoe UI",

                      -apple-system, BlinkMacSystemFont, Roboto,

                      "Helvetica Neue", sans-serif; font-size:

                      15px; font-style: normal; font-variant-ligatures:

                      normal; font-variant-caps: normal; font-weight:

                      400; letter-spacing: normal; orphans: 2;

                      text-align: start; text-indent: 0px;

                      text-transform: none; white-space: normal; widows:

                      2; word-spacing: 0px; -webkit-text-stroke-width:

                      0px; background-color: rgb(255, 255, 255);

                      text-decoration-style: initial;

                      text-decoration-color: initial;" class="">

Is this currently supported, or eventually would be done in the near future?</p>

<p style="-webkit-font-smoothing: antialiased;

                      margin: 1em 0px; color: rgb(32, 31, 30);

                      font-family: "Segoe UI", "Segoe UI

                      Web (West European)", "Segoe UI",

                      -apple-system, BlinkMacSystemFont, Roboto,

                      "Helvetica Neue", sans-serif; font-size:

                      15px; font-style: normal; font-variant-ligatures:

                      normal; font-variant-caps: normal; font-weight:

                      400; letter-spacing: normal; orphans: 2;

                      text-align: start; text-indent: 0px;

                      text-transform: none; white-space: normal; widows:

                      2; word-spacing: 0px; -webkit-text-stroke-width:

                      0px; background-color: rgb(255, 255, 255);

                      text-decoration-style: initial;

                      text-decoration-color: initial;" class="">

thanks Michele</p>

<pre class="moz-signature" cols="72">-- 

Michele Carpené

SuperComputing Applications and Innovation Department

CINECA - via Magnanelli, 6/3, 40033 Casalecchio di Reno (Bologna) - ITALY

Tel: +39 051 6171730 Fax: +39 051 6132198

Skype: mcarpene

<a class="moz-txt-link-freetext" href="http://www.hpc.cineca.it/" moz-do-not-send="true">http://www.hpc.cineca.it/</a></pre>

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</div>

</div>

</blockquote>

<pre class="moz-signature" cols="72">-- 

Michele Carpené

SuperComputing Applications and Innovation Department

CINECA - via Magnanelli, 6/3, 40033 Casalecchio di Reno (Bologna) - ITALY

Tel: +39 051 6171730 Fax: +39 051 6132198

Skype: mcarpene

<a class="moz-txt-link-freetext" href="http://www.hpc.cineca.it/">http://www.hpc.cineca.it/</a></pre>

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</body>

</html>