[keystone] anyone using OpenID with Keystone?

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Tue Feb 15 10:59:45 UTC 2022

We have patched a keystoneauth plugin to support PKCE which does not 
require a client secret.

It requires your identity provider to support PKCE, keycloak in our case.


Hope this is useful,

On 15/02/2022 10:49, Francois wrote:
> Hi Keystone users!
> I am wondering if anyone has experience with keystone openid integration.
> Initially I was using Keystone LDAP backend (using tripleo
> KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters)
> and it works! Users are able to log in through Horizon or through the
> cli, roles can be given per LDAP group, and you can click in Horizon
> and download a working openrc or clouds.yaml file (minus the root CA
> that has to be added) to authenticate with the cli (and your password
> ends as an OS_PASSWORD variable in your environment).
> I am now trying the Keystone Openid backend (using the
> enable-federation-openidc.yaml provided by tripleo -
> https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-federation-openidc.yaml)
> with a mapping like this:
>      [{"local":[{"user":{"name":"{0}"},"group":{"domain":{"name":"Default"},"name":"federated_users"}}],"remote":[{"type":"HTTP_OIDC_EMAIL"}]}]
> The SSO works superb with Horizon, however
> - logging with the cli seems impractical. I see some doc here:
> https://docs.ukcloud.com/articles/openstack/ostack-how-use-api-sso.html
> where you need to provide a secret, I am skeptical I  want to do that.
> The openrc file downloaded from Horizon is not usable as is and needs
> some tuning. And there is no SSO, and the password still ends up in
> the environment...
> - I don't see how I can grant roles to groups anymore. It seems I need
> an extra mechanism to grant permissions (as I used to do that using
> LDAP groups).
> I am wondering if anyone is willing to share their experience dealing
> with Keystone and OpenID.
> Thanks!
> Francois (frigo)

More information about the openstack-discuss mailing list