[keystone] Federated users who wish to use CLI
Kristi Nikolla
kristi at nikolla.me
Thu Oct 24 17:21:26 UTC 2019
Keep us posted! It would be great to have this documented for
future reference.
On Thu, Oct 24, 2019 at 1:04 PM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:
> We are using the "access_token_endpoint". The token is retrieved nicely
> from the IdP. However, the issue starts on Keystone side and the Apache
> HTTPD mod_auth_openidc. The CLI was not ready to deal with it. It is like
> Horizon, when we have multiple IdPs. The discovery process happens twice,
> once in Horizon and another one in Keystone. We already fixed the Horizon
> issue, and now we are working to fix the CLI. We should have something in
> the next few days.
>
> On Thu, Oct 24, 2019 at 1:29 PM Kristi Nikolla <kristi at nikolla.me> wrote:
>
>> Hi Rafael,
>>
>> I have no experience with using multiple identity providers directly in
>> Keystone. Does specifying the access_token_endpoint or discovery_endpoint
>> for the specific provider you are trying to authenticate to work?
>>
>> Kristi
>>
>> On Wed, Oct 23, 2019 at 2:06 PM Rafael Weingärtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> Hello Colleen,
>>> Have you tested the OpenStack CLI with v3oidcpassword or v3oidcauthcode
>>> and multiple IdPs configured in Keystone?
>>>
>>> We are currently debugging and discussing on how to enable this support
>>> in the CLI. So far, we were not able to make it work with the current code.
>>> This also happens with Horizon. If one has multiple IdPs in Keystone, the
>>> "discovery" process would happen twice, one in Horizon and another in
>>> Keystone, which is executed by the OIDC plugin in the HTTPD. We already
>>> fixed the Horizon issue, but the CLI we are still investigating, and we
>>> suspect that is probably the same problem.
>>>
>>> On Wed, Oct 23, 2019 at 1:56 PM Colleen Murphy <colleen at gazlene.net>
>>> wrote:
>>>
>>>> Hi Jason,
>>>>
>>>> On Mon, Oct 21, 2019, at 14:35, Jason Anderson wrote:
>>>> > Hi all,
>>>> >
>>>> > I'm in the process of prototyping a federated Keystone using OpenID
>>>> > Connect, which will place ephemeral users in a group that has roles
>>>> in
>>>> > existing projects. I was testing how it felt from the user's
>>>> > perspective and am confused how I'm supposed to be able to use the
>>>> > openstacksdk with federation. For one thing, the RC files I can
>>>> > download from the "API Access" section of Horizon don't seem like
>>>> they
>>>> > work; the domain is hard-coded to "Federated",
>>>>
>>>> This should be fixed in the latest version of keystone...
>>>>
>>>> > and it also uses a
>>>> > username/password authentication method.
>>>>
>>>> ...but this is not, horizon only knows about the 'password'
>>>> authentication method and can't provide RC files for other types of auth
>>>> methods (unless you create an application credential).
>>>>
>>>> >
>>>> > I can see that there is a way to use KSA to use an existing OIDC
>>>> > token, which I think is probably the most "user-friendly" way, but
>>>> the
>>>> > user still has to obtain this token themselves out-of-band, which is
>>>> > not trivial. Has anybody else set this up for users who liked to use
>>>> > the CLI?
>>>>
>>>> All of KSA's auth types are supported by the openstack CLI. Which one
>>>> you use depends on your OpenID Connect provider. If your provider supports
>>>> it, you can use the "v3oidcpassword" auth method with the openstack CLI,
>>>> following this example:
>>>>
>>>> https://support.massopen.cloud/kb/faq.php?id=16
>>>>
>>>> On the other hand if you are using something like Google which only
>>>> supports the authorization_code grant type, then you would have to get the
>>>> authorization code out of band and then use the "v3oidcauthcode" auth type,
>>>> and personally I've never gotten that to work with Google.
>>>>
>>>> > Is the solution to educate users about creating application
>>>> > credentials instead?
>>>>
>>>> This is the best option. It's much easier to manage and horizon
>>>> provides openrc and clouds.yaml files for app creds.
>>>>
>>>> Hope this helps,
>>>>
>>>> Colleen
>>>>
>>>> >
>>>> > Thank you in advance,
>>>> >
>>>> > --
>>>> > Jason Anderson
>>>> >
>>>> > Chameleon DevOps Lead
>>>> > *Consortium for Advanced Science and Engineering, The University of
>>>> Chicago*
>>>> > *Mathematics & Computer Science Division, Argonne National Laboratory*
>>>>
>>>>
>>>
>>> --
>>> Rafael Weingärtner
>>>
>>
>>
>> --
>> Kristi
>>
>
>
> --
> Rafael Weingärtner
>
--
Kristi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191024/7d25e0e2/attachment.html>
More information about the openstack-discuss
mailing list