Hey,

One thing I don't see in your output is role assignment.
Do you have role mapping as part of mappings?

Have you also tried to create non-scoped token, to check if you are not granted permissions to the specific project, or in general?

Another guess, is that iirc, keystone is not really managing role assignments after shadow user (it could have changed in later releases). Then if you adjusted configuration after the first login, it may still acting with prior permissions.
So potentially cleaning up the user from shadow users in DB might be worth trying as well.

On Thu, 23 Oct 2025, 06:36 Tyler Wilson, <tyler@ghosty.pw> wrote:
Hello All,

I'm trying to get a test idp setup going via this document:
https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-provider.html
and everything seems to be configured correctly however I am getting a
403 when I try to use the openstack CLI to test.

# openstack token issue
You are not authorized to perform the requested action. (HTTP 403)
(Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba)
# openstack user show customer01
You are not authorized to perform the requested action. (HTTP 403)
(Request-ID: req-4e385968-796e-44a0-8003-351188c202ba)

In the keystone log I see a traceback with handle_unscoped_token and
apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW
) so maybe I'm missing something with permissions?

I have the attribute mapping exactly as it is in the documentation,
and im getting this when  replicate the POST to userinfo with the
bearer token;

{"sub":"$UUID","email_verified":true,"name":"CustomerFirst
CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":"customer01@example.com"}

I also checked keycloak and the user event log shows green
authentications. Both domain and project exist in identity as well

# openstack domain list | grep cloud.ld
| $UUID | cloud.ld         | True    |                    |
# openstack project list | grep customers
| $UUID | customers |

I'm using these exports for the client

export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3
export OS_PROJECT_NAME="customers"
export OS_PROJECT_DOMAIN_NAME="cloud.ld"
export OS_USERNAME="customer01"
export OS_PASSWORD="$USER_PASSWORD"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
export OS_AUTH_TYPE=v3oidcpassword
export OS_CLIENT_ID=Keystone
export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER
export OS_IDENTITY_PROVIDER=cloud.ld
export OS_PROTOCOL=openid
export OS_ACCESS_TOKEN_ENDPOINT=https://$KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token

Is there anything I might be missing here? Thanks for any help!