Hello OpenStack Community, and greetings especially to the Keystone experts among you. I'm currently co-administering an OpenStack 17.1.3 cluster with a few compute nodes and three controllers. For a better user experience, we've enabled Single Sign-On using OIDC for Horizon, which is working fabulously. To do that, the [mod_auth_openidc module](https://github.com/OpenIDC/mod_auth_openidc) is configured for httpd on the controller nodes. However, we're now facing a novel scenario for us. Basically, we want to interact with the OpenStack REST APIs - but not using a usual token request to `/v3/auth/tokens`, but using Single Sign-On. We've looked at the authentication request that Horizon makes to Keystone after successful authentication with the SSO provider. As far as we can tell: 1. After successful authentication with the SSO identity provider, Keystone redirects back to the redirect URI with a grant_id, id_token and state in the URL fragments (after # in the URL). 2. The redirect URI is `/v3/auth/OS-FEDERATION/websso/openid`, which contains HTML that will read the fragments and POST them as form data to somewhere. 3. Those fragments get POSTed to `/v3/auth/OS-FEDERATION/websso/openid`. 4. The response from Keystone is an HTML document containing an auth token, rigged to get POSTed to Horizon at `/dashboard/auth/websso/` (presumably to start a fresh session). So far, so good. The [Keystone federation documentation](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) does show the [Horizon flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) in action. I can replicate it in part using cURL, by doing the same requests to the same endpoints that my browser does. However, I do not understand or see a request to `/v3/auth/OS-FEDERATION/websso/mapped` where Keystone actually issues a token. Instead, after the `id_token`, `grant_id`, etc. are POSTed to `/v3/auth/OS-FEDERATION/websso/openid`, Keystone responds with an HTML document containing the token (see step 4. in my earlier list). I've only seen this working for Horizon in an actual browser, though. Am I misunderstanding the documentation? Right above that in the documentation, there is a section about an unrelated [OpenID Connect Authentication Flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...). It contains a graphic in which the first request made is a GET request to `/secure`. A direct GET request yields a `404`, so I assume this is a placeholder for any protected resource. However, if I request any protected resource without a valid token, I do not receive a 302 as the graphic would seem to suggest. Is this a behavior that would need to be configured, first? In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon? I'm just wondering if I am on the correct path in trying to modify the `10-keystone.wsgi` in `/etc/httpd/conf.d/` to use [multiple providers](https://github.com/OpenIDC/mod_auth_openidc/wiki/Multiple-Providers). If, after starting the SSO process, I end up with a `grant_id` and an `id_token`, where do I post this to to get a Keystone token in return? After going through the documentation, I am still at a loss. I would appreciate any help. Thank you for your time.