[keystone] OAuth2.0 implementation in Yoga
Hiromu Asahina
hiromu.asahina.az at hco.ntt.co.jp
Tue Dec 14 16:39:06 UTC 2021
Hi,
Please, could any of the keystone core members give me some advice on this spec?
https://review.opendev.org/c/openstack/keystone-specs/+/813152
We'd like to make the following points clear by the end of this year to forward the implementation. So, please kindly check it and
please let me know your opinion.
- OAuth2.0 scope [1]:
As there are differences between OAuth2.0 scope format and the Application credentials access rule format and we haven't found a
good solution to map them, we'd like to omit the implementation of the OAuth2.0 scope in Yoga. Is there any concerns?
- Access policy configuration:
- Which one is appropriate?
(i) End-users can use the OAuth2.0 API if they have permission for the OAuth2.0 API even if they don't have permission for the
Application credentials API
(ii) End-users can use the OAuth2.0 API only if they have permission for both the OAuth2.0 API and the Application credentials
API.
- API endpoint:
- Which one is appropriate?
(i) `/identity/v3/auth/OS-OAUTH2/<user_id>/clients`
(ii) `/identity/v3/users/{user_id}/OS-AUTH2/clients`
(iii) other
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-23
Thanks,
Hiromu Asahina (h_asahina)
More information about the openstack-discuss
mailing list