Hey All!

I've been reading the documentation here https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html and poking through the Keystone code to figure out how tokenless authentication works.

However, It doesn't seem like tokenless auth can be used as a full replacement for usernames and passwords when using ephemeral users?

I can manage to get a role assignment created that allows tokenless to work for domain and project scopes but it doesn't seem possible to set up tokenless for the system scope. Without system scope I can't list catalog services or get their endpoints.

Re-reading through the documentation it says:

This feature is designed to reduce the complexity of user token validation in Keystone auth_token middleware by eliminating the need for service user token for authentication and authorization.

Which seems like tokenless should only be used for user token validation and nothing else. It doesn't look like this auth mechanism can be used in the same manner as others for service-to-service communication?

I can't really tell if I am doing something wrong or my understanding of the documentation is correct and it should only be used for user token validation.

If tokenless should only be used for user token validation are there any plans to support it normally as a full replacement of usernames and passwords?

Thanks!

- Ryan