[keystone] anyone using OpenID with Keystone?

Francois rigault.francois at gmail.com
Tue Feb 15 10:49:30 UTC 2022


Hi Keystone users!
I am wondering if anyone has experience with keystone openid integration.
Initially I was using Keystone LDAP backend (using tripleo
KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters)
and it works! Users are able to log in through Horizon or through the
cli, roles can be given per LDAP group, and you can click in Horizon
and download a working openrc or clouds.yaml file (minus the root CA
that has to be added) to authenticate with the cli (and your password
ends as an OS_PASSWORD variable in your environment).

I am now trying the Keystone Openid backend (using the
enable-federation-openidc.yaml provided by tripleo -
https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-federation-openidc.yaml)
with a mapping like this:

    [{"local":[{"user":{"name":"{0}"},"group":{"domain":{"name":"Default"},"name":"federated_users"}}],"remote":[{"type":"HTTP_OIDC_EMAIL"}]}]

The SSO works superb with Horizon, however
- logging with the cli seems impractical. I see some doc here:
https://docs.ukcloud.com/articles/openstack/ostack-how-use-api-sso.html
where you need to provide a secret, I am skeptical I  want to do that.
The openrc file downloaded from Horizon is not usable as is and needs
some tuning. And there is no SSO, and the password still ends up in
the environment...
- I don't see how I can grant roles to groups anymore. It seems I need
an extra mechanism to grant permissions (as I used to do that using
LDAP groups).


I am wondering if anyone is willing to share their experience dealing
with Keystone and OpenID.

Thanks!
Francois (frigo)



More information about the openstack-discuss mailing list