Hi Christian, We deploy openstack with keystone behind Apache and mod_oidc, using Keycloak as an IdP with the client set as 'public' to enable PKCE. We provide a 'helper' git repo to setup a correctly configured virtualenv for users which also installs keystoneauth-oidc. A script in that repo lets a user trigger the login flow (essentially openstack <options> token issue) which launches a local browser window to complete the SSO / 2FA process. Environment vars including OS_TOKEN are exported by the script. If my memory serves correctly I did approach the Keystone team in IRC to have one of my developers contribute better support for OIDC in keystoneauth, but there was a preference for a much more significant rewrite of parts of keystone. Unfortunately time has passed and I think that an external plugin is still needed for a secure OIDC cli experience using a modern auth flow. Jon. On 23/01/2023 12:19, Christian Rohmann wrote:
Thanks Jonathan for your response!
On 23/01/2023 11:09, Jonathan Rosser wrote:
My team contributed patches to https://github.com/IFCA/keystoneauth-oidc to use PKCE so that a client ID and client secret do not need to be given to users.
That sounds interesting - I suppose this patch would extend the auth plugins listed at https://docs.openstack.org/keystoneauth/latest/plugin-options.html#available... ? Could you elaborate a little more on the architecture and auth workflow you have using this patch?
Do you have any plans to push this upstream to become part of the standard plugins by any chance?
Thanks again and with kind regards,
Christian