Dear all. This has been a long time ago since we implemented this, so I had to refresh my mind. Also, long time without contributing to OpenStack. See my responses inline.
On 16/02/2022 15:45, Jose Castro Leon wrote:
We are preparing something based on keystoneauth1 that uses an authorization code grant in OIDC that will send you an url address to the client so they can do the SSO there and receive a validation code. Then you input the validation code in the CLI and receive an OIDC.
Once it receives the OIDC access token and refresh token, we cache them on the filesystem for subsequent calls.
The idea was to contribute it upstream once we clean it up a bit
Cheers Jose
Jose, could you maybe give an update on your endeavors? Do you have your code public anywhere? Do you still plan to upstream this code?
So far the first part is already implemented, using the Client Credentials grant type: https://github.com/openstack/keystoneauth/commit/e5fd66ca35424108ca0c1234119... The part about storing the access and refresh tokens on disk was never addressed though.
There likely would have to be a spec first do do any major change / addition to keystone auth capabilties. But there already are some specs / ideas discussing the OIDC integration:
* https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keyston...
We implemented a prototype plugin for the Keystone server here: https://github.com/IFCA/keystone-oidc-auth-plugin And the client part here: https://github.com/IFCA/keystone-oidc-auth-plugin However, this was blocked due to this issue, that IIRC was introduced when Keystone removed the custom WSGI stack. https://bugs.launchpad.net/keystone/+bug/1854041 https://review.opendev.org/c/openstack/keystone/+/754694
I certainly understand that my naive initial question about fetching a v3oidcaccesstoken and use it comes way short of the actually intended authentication flows, such as using existing SSO (via PKCE) and then receiving the callback. But also making use of refresh tokens, handling expired tokens, ...
We had that interest too, but to be honest then we quit. However, I think that there is still a better approach, that is to use an OpenID Connect agent (that handles all the nasty handling of tokens) and then using the keystonauth1 v3oidcaccesstoken plugin, modifying it to get the token from the agent: https://github.com/indigo-dc/oidc-agent We have implemented this internally, and it has been a long time since we implemented it, but I think that I can test it (tomorrow CEST) and try to prepare a patch, also writing some documentation, if that helps. If there is some movement arount it will be easier to get things merged. Best, -- Álvaro López García Advanced Computing and e-Science Group Instituto de Física de Cantabria (IFCA) - CSIC - UC Ed. Juan Jordá, Avda. de los Castros s/n - 39005 Santander (SPAIN) phone: (+34) 942 201 537 | skype: aloga.csic | keybase.io: aloga http://alvarolopez.github.io == I understand.
Because it reverses the logical flow of conversation.
Why is top posting frowned upon?
Please do not top-post in email replies.