FYI, we have another approach as well here: https://github.com/vexxhost/keystoneauth-websso From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> Date: Monday, July 15, 2024 at 8:18 AM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [keystone] Keystone Single Sign-On for REST API Access [You don't often get email from jonathan.rosser@rd.bbc.co.uk. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
Is this helpful? https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIFCA-Advanced-Computing%2Fkeystoneauth-oidc&data=05%7C02%7Cmnaser%40vexxhost.com%7Cacd2f17d880d45147c4b08dca4c849a9%7C54e2b12264054dafa35bf65edc45c621%7C0%7C0%7C638566427334123522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zVDooRG2LRQbGu8pGoOTIpi4vRmtoTZukdrzZpEo02I%3D&reserved=0<https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc> We use this to authenticate cli with keystone/SSO. Given this works for cli, you should be able to use the underlying openstacksdk library and keystoneauth-oidc to get a token in order to interact with the APIs, if i've understood correctly what you want to achieve. Jonathan.