From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Monday, July 15, 2024 at 8:18 AM
To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>
Subject: Re: [keystone] Keystone Single Sign-On for REST API Access

[You don't often get email from jonathan.rosser@rd.bbc.co.uk. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
> In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
>
Is this helpful?
https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIFCA-Advanced-Computing%2Fkeystoneauth-oidc&data=05%7C02%7Cmnaser%40vexxhost.com%7Cacd2f17d880d45147c4b08dca4c849a9%7C54e2b12264054dafa35bf65edc45c621%7C0%7C0%7C638566427334123522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zVDooRG2LRQbGu8pGoOTIpi4vRmtoTZukdrzZpEo02I%3D&reserved=0

We use this to authenticate cli with keystone/SSO.

Given this works for cli, you should be able to use the underlying
openstacksdk library and keystoneauth-oidc to get a token in order to
interact with the APIs, if i've understood correctly what you want to
achieve.

Jonathan.