[ops][keystone] Does anyone use external auth?

Colleen Murphy colleen at gazlene.net
Tue Jul 30 21:00:09 UTC 2019

On Tue, Jul 30, 2019, at 13:45, Fox, Kevin M wrote:
> https://www.youtube.com/watch?v=7BSnhRZ8nhs mentions they use 
> mod_auth_oidc. Not sure that is still true. But may want to reach out 
> to them.

The video shows that they're using federated authentication, which provides them with the ability to create a rich attribute mapping and connect their OpenIDC IdP to keystone while still using the auth module in front of keystone. The 'external' auth method only provides a subset of that functionality, which is simply the ability to accept the auth module's parameters as a valid authentication.


> Thanks,
> Kevin
> ________________________________________
> From: Colleen Murphy [colleen at gazlene.net]
> Sent: Tuesday, July 30, 2019 1:28 PM
> To: openstack-discuss at lists.openstack.org
> Subject: [ops][keystone] Does anyone use external auth?
> Currently, one of the default auth methods for keystone is 'external', 
> meaning keystone offloads authentication to an HTTPD auth module like 
> mod_ssl or mod_auth_kerb and gets the user's identity from the 
> REMOTE_USER variable passed in by the web server:
> https://docs.openstack.org/keystone/latest/admin/external-authentication.html
> The 'external' auth method existed before federation. The biggest 
> problem with external auth now is that it is effectively single-domain, 
> there's no way to parse anything besides a user identifier from the 
> REMOTE_USER variable, and keystone is barreling full steam ahead to a 
> multidomain world. The 'external' auth method conflicts with the 
> 'mapped' auth method as mentioned in the "Caution" notice in the above 
> document for the same reason. Moreover, we should be able to achieve 
> the same behavior with just federation, e.g. you can create a federated 
> IdP representing your SSL CA, and continue to use mod_ssl with a 
> mapping to properly parse all the attributes coming in from the auth 
> module.
> We'd like to start discouraging, deprecating, and removing external 
> auth in keystone. So our question to operators is: are you currently 
> using external auth? If so, which HTTPD auth modules are you using? And 
> is it a use case that we can't support with federated auth?
> Colleen (cmurphy)

More information about the openstack-discuss mailing list