[keystone] Federated users who wish to use CLI
kristi at nikolla.me
Thu Oct 24 16:28:52 UTC 2019
I have no experience with using multiple identity providers directly in
Keystone. Does specifying the access_token_endpoint or discovery_endpoint
for the specific provider you are trying to authenticate to work?
On Wed, Oct 23, 2019 at 2:06 PM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:
> Hello Colleen,
> Have you tested the OpenStack CLI with v3oidcpassword or v3oidcauthcode
> and multiple IdPs configured in Keystone?
> We are currently debugging and discussing on how to enable this support in
> the CLI. So far, we were not able to make it work with the current code.
> This also happens with Horizon. If one has multiple IdPs in Keystone, the
> "discovery" process would happen twice, one in Horizon and another in
> Keystone, which is executed by the OIDC plugin in the HTTPD. We already
> fixed the Horizon issue, but the CLI we are still investigating, and we
> suspect that is probably the same problem.
> On Wed, Oct 23, 2019 at 1:56 PM Colleen Murphy <colleen at gazlene.net>
>> Hi Jason,
>> On Mon, Oct 21, 2019, at 14:35, Jason Anderson wrote:
>> > Hi all,
>> > I'm in the process of prototyping a federated Keystone using OpenID
>> > Connect, which will place ephemeral users in a group that has roles in
>> > existing projects. I was testing how it felt from the user's
>> > perspective and am confused how I'm supposed to be able to use the
>> > openstacksdk with federation. For one thing, the RC files I can
>> > download from the "API Access" section of Horizon don't seem like they
>> > work; the domain is hard-coded to "Federated",
>> This should be fixed in the latest version of keystone...
>> > and it also uses a
>> > username/password authentication method.
>> ...but this is not, horizon only knows about the 'password'
>> authentication method and can't provide RC files for other types of auth
>> methods (unless you create an application credential).
>> > I can see that there is a way to use KSA to use an existing OIDC
>> > token, which I think is probably the most "user-friendly" way, but the
>> > user still has to obtain this token themselves out-of-band, which is
>> > not trivial. Has anybody else set this up for users who liked to use
>> > the CLI?
>> All of KSA's auth types are supported by the openstack CLI. Which one you
>> use depends on your OpenID Connect provider. If your provider supports it,
>> you can use the "v3oidcpassword" auth method with the openstack CLI,
>> following this example:
>> On the other hand if you are using something like Google which only
>> supports the authorization_code grant type, then you would have to get the
>> authorization code out of band and then use the "v3oidcauthcode" auth type,
>> and personally I've never gotten that to work with Google.
>> > Is the solution to educate users about creating application
>> > credentials instead?
>> This is the best option. It's much easier to manage and horizon provides
>> openrc and clouds.yaml files for app creds.
>> Hope this helps,
>> > Thank you in advance,
>> > --
>> > Jason Anderson
>> > Chameleon DevOps Lead
>> > *Consortium for Advanced Science and Engineering, The University of
>> > *Mathematics & Computer Science Division, Argonne National Laboratory*
> Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss