Hey Jon, all, Jose, Nikolla, Francois: You did discuss about the current state of using OIDC with keystone and about a secure flow to use existing SSO and only provide tokens to the openstack cli in https://lists.openstack.org/pipermail/openstack-discuss/2022-February/027313..., sorry I did not find this prior to me posting and asking about this. I took the liberty to CC you. Alvaro you did apparently write up the below referenced spec about improving on the OIDC support in keystone so I CCed you as well. 1) On 16/02/2022 15:45, Jose Castro Leon wrote:
Hi, We are preparing something based on keystoneauth1 that uses an authorization code grant in OIDC that will send you an url address to the client so they can do the SSO there and receive a validation code. Then you input the validation code in the CLI and receive an OIDC.
Once it receives the OIDC access token and refresh token, we cache them on the filesystem for subsequent calls.
The idea was to contribute it upstream once we clean it up a bit
Cheers Jose
Jose, could you maybe give an update on your endeavors? Do you have your code public anywhere? Do you still plan to upstream this code? 2) On 23/01/2023 13:59, Jonathan Rosser wrote:
If my memory serves correctly I did approach the Keystone team in IRC to have one of my developers contribute better support for OIDC in keystoneauth, but there was a preference for a much more significant rewrite of parts of keystone. Unfortunately time has passed and I think that an external plugin is still needed for a secure OIDC cli experience using a modern auth flow.
That is exactly where we ended up when diving deeper into the existing OIDC capabilities :-) Would you then consider contributing your code upstream? 3) There likely would have to be a spec first do do any major change / addition to keystone auth capabilties. But there already are some specs / ideas discussing the OIDC integration: * https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keyston... * less related, but quite recent: https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keyston... 4) I certainly understand that my naive initial question about fetching a v3oidcaccesstoken and use it comes way short of the actually intended authentication flows, such as using existing SSO (via PKCE) and then receiving the callback. But also making use of refresh tokens, handling expired tokens, ... My intention is simply to revive the discussion around this topic and to potentially join forces / code to make keystone, keystoneauth1 and the openstack clients integrate nicely and securely with (existing) OIDC infrastructure and flows Regards Christian