Keystone+Keycloak OIDC 403 Error on openstack CLI test
Hello All, I'm trying to get a test idp setup going via this document: https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p... and everything seems to be configured correctly however I am getting a 403 when I try to use the openstack CLI to test. # openstack token issue You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba) # openstack user show customer01 You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-4e385968-796e-44a0-8003-351188c202ba) In the keystone log I see a traceback with handle_unscoped_token and apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW ) so maybe I'm missing something with permissions? I have the attribute mapping exactly as it is in the documentation, and im getting this when replicate the POST to userinfo with the bearer token; {"sub":"$UUID","email_verified":true,"name":"CustomerFirst CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":"customer01@example.com"} I also checked keycloak and the user event log shows green authentications. Both domain and project exist in identity as well # openstack domain list | grep cloud.ld | $UUID | cloud.ld | True | | # openstack project list | grep customers | $UUID | customers | I'm using these exports for the client export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_PROJECT_NAME="customers" export OS_PROJECT_DOMAIN_NAME="cloud.ld" export OS_USERNAME="customer01" export OS_PASSWORD="$USER_PASSWORD" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt export OS_AUTH_TYPE=v3oidcpassword export OS_CLIENT_ID=Keystone export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_ENDPOINT=https://$KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token Is there anything I might be missing here? Thanks for any help!
Hey, One thing I don't see in your output is role assignment. Do you have role mapping as part of mappings? Have you also tried to create non-scoped token, to check if you are not granted permissions to the specific project, or in general? Another guess, is that iirc, keystone is not really managing role assignments after shadow user (it could have changed in later releases). Then if you adjusted configuration after the first login, it may still acting with prior permissions. So potentially cleaning up the user from shadow users in DB might be worth trying as well. On Thu, 23 Oct 2025, 06:36 Tyler Wilson, <tyler@ghosty.pw> wrote:
Hello All,
I'm trying to get a test idp setup going via this document:
https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p... and everything seems to be configured correctly however I am getting a 403 when I try to use the openstack CLI to test.
# openstack token issue You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba) # openstack user show customer01 You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-4e385968-796e-44a0-8003-351188c202ba)
In the keystone log I see a traceback with handle_unscoped_token and apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW ) so maybe I'm missing something with permissions?
I have the attribute mapping exactly as it is in the documentation, and im getting this when replicate the POST to userinfo with the bearer token;
{"sub":"$UUID","email_verified":true,"name":"CustomerFirst
CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":" customer01@example.com"}
I also checked keycloak and the user event log shows green authentications. Both domain and project exist in identity as well
# openstack domain list | grep cloud.ld | $UUID | cloud.ld | True | | # openstack project list | grep customers | $UUID | customers |
I'm using these exports for the client
export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_PROJECT_NAME="customers" export OS_PROJECT_DOMAIN_NAME="cloud.ld" export OS_USERNAME="customer01" export OS_PASSWORD="$USER_PASSWORD" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt export OS_AUTH_TYPE=v3oidcpassword export OS_CLIENT_ID=Keystone export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_ENDPOINT=https:// $KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token
Is there anything I might be missing here? Thanks for any help!
hi Tyler try this, remove (unset all exports) except export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_AUTH_TYPE=v3oidcpassword export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid And set this one export OS_ACCESS_TOKEN=<See if you can get an access token from keycloak from you user profile> not sure if you need to configure/create an application in kc to give access tokens and openstack token issue best Mario On 23/10/25 05:35, Tyler Wilson wrote:
Hello All,
I'm trying to get a test idp setup going via this document: https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p... and everything seems to be configured correctly however I am getting a 403 when I try to use the openstack CLI to test.
# openstack token issue You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-be79246b-ccc1-4fbd-ba3f-fa98b9cae7ba) # openstack user show customer01 You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-4e385968-796e-44a0-8003-351188c202ba)
In the keystone log I see a traceback with handle_unscoped_token and apply_mapping_filter (full output here: https://pastebin.com/xZ2qeCPW ) so maybe I'm missing something with permissions?
I have the attribute mapping exactly as it is in the documentation, and im getting this when replicate the POST to userinfo with the bearer token;
{"sub":"$UUID","email_verified":true,"name":"CustomerFirst CustomerLast","preferred_username":"customer01","given_name":"CustomerFirst","openstack-default-project":"customers","openstack-user-domain":"cloud.ld","family_name":"CustomerLast","email":"customer01@example.com"}
I also checked keycloak and the user event log shows green authentications. Both domain and project exist in identity as well
# openstack domain list | grep cloud.ld | $UUID | cloud.ld | True | | # openstack project list | grep customers | $UUID | customers |
I'm using these exports for the client
export OS_AUTH_URL=http://$KEYSTONE_IP:5000/v3 export OS_PROJECT_NAME="customers" export OS_PROJECT_DOMAIN_NAME="cloud.ld" export OS_USERNAME="customer01" export OS_PASSWORD="$USER_PASSWORD" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt export OS_AUTH_TYPE=v3oidcpassword export OS_CLIENT_ID=Keystone export OS_CLIENT_SECRET=$SECRET_ALTHOUGH_DOESNT_MATTER export OS_IDENTITY_PROVIDER=cloud.ld export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_ENDPOINT=https://$KEYCLOAK_IP:8443/realms/cloud.ld/protocol/openid-connect/token
Is there anything I might be missing here? Thanks for any help!
participants (3)
-
Dmitriy Rabotyagov
-
Mario David
-
Tyler Wilson