[keystone] anyone using OpenID with Keystone?
jonathan.rosser at rd.bbc.co.uk
Tue Feb 15 10:59:45 UTC 2022
We have patched a keystoneauth plugin to support PKCE which does not
require a client secret.
It requires your identity provider to support PKCE, keycloak in our case.
Hope this is useful,
On 15/02/2022 10:49, Francois wrote:
> Hi Keystone users!
> I am wondering if anyone has experience with keystone openid integration.
> Initially I was using Keystone LDAP backend (using tripleo
> KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters)
> and it works! Users are able to log in through Horizon or through the
> cli, roles can be given per LDAP group, and you can click in Horizon
> and download a working openrc or clouds.yaml file (minus the root CA
> that has to be added) to authenticate with the cli (and your password
> ends as an OS_PASSWORD variable in your environment).
> I am now trying the Keystone Openid backend (using the
> enable-federation-openidc.yaml provided by tripleo -
> with a mapping like this:
> The SSO works superb with Horizon, however
> - logging with the cli seems impractical. I see some doc here:
> where you need to provide a secret, I am skeptical I want to do that.
> The openrc file downloaded from Horizon is not usable as is and needs
> some tuning. And there is no SSO, and the password still ends up in
> the environment...
> - I don't see how I can grant roles to groups anymore. It seems I need
> an extra mechanism to grant permissions (as I used to do that using
> LDAP groups).
> I am wondering if anyone is willing to share their experience dealing
> with Keystone and OpenID.
> Francois (frigo)
More information about the openstack-discuss