[ops][keystone] Does anyone use external auth?

Fox, Kevin M Kevin.Fox at pnnl.gov
Tue Jul 30 20:45:29 UTC 2019

https://www.youtube.com/watch?v=7BSnhRZ8nhs mentions they use mod_auth_oidc. Not sure that is still true. But may want to reach out to them.

From: Colleen Murphy [colleen at gazlene.net]
Sent: Tuesday, July 30, 2019 1:28 PM
To: openstack-discuss at lists.openstack.org
Subject: [ops][keystone] Does anyone use external auth?

Currently, one of the default auth methods for keystone is 'external', meaning keystone offloads authentication to an HTTPD auth module like mod_ssl or mod_auth_kerb and gets the user's identity from the REMOTE_USER variable passed in by the web server:


The 'external' auth method existed before federation. The biggest problem with external auth now is that it is effectively single-domain, there's no way to parse anything besides a user identifier from the REMOTE_USER variable, and keystone is barreling full steam ahead to a multidomain world. The 'external' auth method conflicts with the 'mapped' auth method as mentioned in the "Caution" notice in the above document for the same reason. Moreover, we should be able to achieve the same behavior with just federation, e.g. you can create a federated IdP representing your SSL CA, and continue to use mod_ssl with a mapping to properly parse all the attributes coming in from the auth module.

We'd like to start discouraging, deprecating, and removing external auth in keystone. So our question to operators is: are you currently using external auth? If so, which HTTPD auth modules are you using? And is it a use case that we can't support with federated auth?

Colleen (cmurphy)

More information about the openstack-discuss mailing list