hi Tyler try this, remove (unset all exports) except export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_AUTH_TYPE=v3oidcpassword export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid And set this one export OS_ACCESS_TOKEN=<See if you can get an access token from keycloak from you user profile> not sure if you need to configure/create an application in kc to give access tokens and openstack token issue best Mario On 23/10/25 05:35, Tyler Wilson wrote:
Hello All,
I'm trying to get a test idp setup going via this document: https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p... and everything seems to be configured correctly however I am getting a 403 when I try to use the openstack CLI to test.
# openstack token issue You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba) # openstack user show customer01 You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-4e385968-796e-44a0-8003-351188c202ba)
In the keystone log I see a traceback with handle_unscoped_token and apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW ) so maybe I'm missing something with permissions?
I have the attribute mapping exactly as it is in the documentation, and im getting this when replicate the POST to userinfo with the bearer token;
{"sub":"$UUID","email_verified":true,"name":"CustomerFirst CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":"customer01@example.com"}
I also checked keycloak and the user event log shows green authentications. Both domain and project exist in identity as well
# openstack domain list | grep cloud.ld | $UUID | cloud.ld | True | | # openstack project list | grep customers | $UUID | customers |
I'm using these exports for the client
export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_PROJECT_NAME="customers" export OS_PROJECT_DOMAIN_NAME="cloud.ld" export OS_USERNAME="customer01" export OS_PASSWORD="$USER_PASSWORD" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt export OS_AUTH_TYPE=v3oidcpassword export OS_CLIENT_ID=Keystone export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_ENDPOINT=https://$KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token
Is there anything I might be missing here? Thanks for any help!