[keystone] Federated users who wish to use CLI

Kristi Nikolla kristi at nikolla.me
Thu Oct 24 16:28:52 UTC 2019

Hi Rafael,

I have no experience with using multiple identity providers directly in
Keystone. Does specifying the access_token_endpoint or discovery_endpoint
for the specific provider you are trying to authenticate to work?


On Wed, Oct 23, 2019 at 2:06 PM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Hello Colleen,
> Have you tested the OpenStack CLI with v3oidcpassword or v3oidcauthcode
> and multiple IdPs configured in Keystone?
> We are currently debugging and discussing on how to enable this support in
> the CLI. So far, we were not able to make it work with the current code.
> This also happens with Horizon. If one has multiple IdPs in Keystone, the
> "discovery" process would happen twice, one in Horizon and another in
> Keystone, which is executed by the OIDC plugin in the HTTPD. We already
> fixed the Horizon issue, but the CLI we are still investigating, and we
> suspect that is probably the same problem.
> On Wed, Oct 23, 2019 at 1:56 PM Colleen Murphy <colleen at gazlene.net>
> wrote:
>> Hi Jason,
>> On Mon, Oct 21, 2019, at 14:35, Jason Anderson wrote:
>> >  Hi all,
>> >
>> >  I'm in the process of prototyping a federated Keystone using OpenID
>> > Connect, which will place ephemeral users in a group that has roles in
>> > existing projects. I was testing how it felt from the user's
>> > perspective and am confused how I'm supposed to be able to use the
>> > openstacksdk with federation. For one thing, the RC files I can
>> > download from the "API Access" section of Horizon don't seem like they
>> > work; the domain is hard-coded to "Federated",
>> This should be fixed in the latest version of keystone...
>> > and it also uses a
>> > username/password authentication method.
>> ...but this is not, horizon only knows about the 'password'
>> authentication method and can't provide RC files for other types of auth
>> methods (unless you create an application credential).
>> >
>> >  I can see that there is a way to use KSA to use an existing OIDC
>> > token, which I think is probably the most "user-friendly" way, but the
>> > user still has to obtain this token themselves out-of-band, which is
>> > not trivial. Has anybody else set this up for users who liked to use
>> > the CLI?
>> All of KSA's auth types are supported by the openstack CLI. Which one you
>> use depends on your OpenID Connect provider. If your provider supports it,
>> you can use the "v3oidcpassword" auth method with the openstack CLI,
>> following this example:
>> https://support.massopen.cloud/kb/faq.php?id=16
>> On the other hand if you are using something like Google which only
>> supports the authorization_code grant type, then you would have to get the
>> authorization code out of band and then use the "v3oidcauthcode" auth type,
>> and personally I've never gotten that to work with Google.
>> > Is the solution to educate users about creating application
>> > credentials instead?
>> This is the best option. It's much easier to manage and horizon provides
>> openrc and clouds.yaml files for app creds.
>> Hope this helps,
>> Colleen
>> >
>> >  Thank you in advance,
>> >
>> > --
>> >  Jason Anderson
>> >
>> >  Chameleon DevOps Lead
>> > *Consortium for Advanced Science and Engineering, The University of
>> Chicago*
>> > *Mathematics & Computer Science Division, Argonne National Laboratory*
> --
> Rafael Weingärtner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191024/cf7f365c/attachment.html>

More information about the openstack-discuss mailing list