[openstack-dev] [keystone][openid][mistral] Enabling OpenID Connect authentication w/o federation

Renat Akhmerov renat.akhmerov at gmail.com
Thu Jun 23 11:30:51 UTC 2016


I’m looking for some hints on how to enable authentication via OpenID Connect protocol, particularly in Mistral. Actually, specific protocol is not so important. I’m mostly interested in conceptional vision here and I’d like to ask the community if what we would like to do makes sense.

Problem statement

Whereas there are people using Mistral as an OpenStack service with proper Keystone authentication etc. some people want to be able to use it w/o OpenStack at all or in some scenarios where OpenStack is just one thing that Mistral workflows should interact with.

In one of our cases we want to use Mistral w/o OpenStack but we want to make Mistral perform authentication via OIDC. I’ve done some research on what Keystone already has that could help us do that and I found a group of plugins for OIDC authentication flows under [1]. The problem I see with these plugins for my particular case is that I still have to properly install Keystone and configure it for Federation since the plugins use Federation. Feels like a redundant time consuming step for me. A normal flow for these plugins is to first get so-called unscoped token via OIDC and then request a scoped token from Keystone via its Federation API. I think understand why it works this way, it’s well documented in Keystone docs. Briefly, it’s required to get user info, list of available resources etc, whatever OIDC server does not provide, it only works as an identity provider.

What ideally I'd like to do is to avoid installing and configuring Keystone at all. 

Possible solution

What I’m thinking about is: would it be OK to just create a set of new authentication plugins under keystoneauth project that would do the same as existing ones but w/o getting a Keystone scoped token? That way we could still take advantage of existing keystone auth plugins framework but w/o having to install and configure Keystone service. I realize that we’ll lose some capabilities that Keystone provides but for many cases it would be enough just to authenticate on a client and then validate token from HTTP headers via OIDC server on server side. Just one more necessary thing to do here is to fill tenant/project but that could be extracted from a token.


Would this new plugin have a right to be part of keystoneauth project despite Keystone service is not involved at all? The alternative is just to teach Mistral to do authentication w/o using keystone client  at all. But IMO the advantage of having such plugin (group of plugins actually) is that someone else could reuse it.
Is there any existing code that we could reuse to solve this problem? Maybe what I’m describing is already solved by someone.
Can you please point to some user examples on how to switch between authentication plugins in both client and service for some OpenStack services? I read the docs and looked at the code but it’s still not so clear how to implement support for different plugins on the client in the best way. I’m looking for best practices. Server side seems ok because we use keystonemiddleware and it can dynamically load a plugin by name and use relevant config options just by specifying “auth_plugin” property.
What may be some other caveats in the solution I described?


[1] https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py <https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py>

Renat Akhmerov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160623/9d2b301e/attachment.html>

More information about the OpenStack-dev mailing list