[keystone] anyone using OpenID with Keystone?

Jose Castro Leon jose.castro.leon at cern.ch
Wed Feb 16 14:45:02 UTC 2022

We are preparing something based on keystoneauth1 that uses an 
authorization code grant in OIDC that will send you an url address to 
the client so they can do the SSO there and receive a validation code. 
Then you input the validation code in the CLI and receive an OIDC.

Once it receives the OIDC access token and refresh token, we cache them 
on the filesystem for subsequent calls.

The idea was to contribute it upstream once we clean it up a bit


On 2/16/22 15:23, Nikolla, Kristi wrote:
> Would application credentials fit your use case for CLI access? Users 
> will be able to create them through Horizon, and after creation they 
> will be prompted to download either a clouds.yaml or an openrc file, so 
> the process is pretty straightforward.
> https://docs.openstack.org/keystone/latest/user/application_credentials.html 
> <https://docs.openstack.org/keystone/latest/user/application_credentials.html>
> Can you elaborate more on your issue with not being able to grant roles 
> to groups?
> Best,
> Kristi
>> On Feb 15, 2022, at 05:49, Francois <rigault.francois at gmail.com 
>> <mailto:rigault.francois at gmail.com>> wrote:
>> Hi Keystone users!
>> I am wondering if anyone has experience with keystone openid integration.
>> Initially I was using Keystone LDAP backend (using tripleo
>> KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters)
>> and it works! Users are able to log in through Horizon or through the
>> cli, roles can be given per LDAP group, and you can click in Horizon
>> and download a working openrc or clouds.yaml file (minus the root CA
>> that has to be added) to authenticate with the cli (and your password
>> ends as an OS_PASSWORD variable in your environment).
>> I am now trying the Keystone Openid backend (using the
>> enable-federation-openidc.yaml provided by tripleo -
>> https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-federation-openidc.yaml 
>> <https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-federation-openidc.yaml>)
>> with a mapping like this:
>>    [{"local":[{"user":{"name":"{0}"},"group":{"domain":{"name":"Default"},"name":"federated_users"}}],"remote":[{"type":"HTTP_OIDC_EMAIL"}]}]
>> The SSO works superb with Horizon, however
>> - logging with the cli seems impractical. I see some doc here:
>> https://docs.ukcloud.com/articles/openstack/ostack-how-use-api-sso.html <https://docs.ukcloud.com/articles/openstack/ostack-how-use-api-sso.html>
>> where you need to provide a secret, I am skeptical I  want to do that.
>> The openrc file downloaded from Horizon is not usable as is and needs
>> some tuning. And there is no SSO, and the password still ends up in
>> the environment...
>> - I don't see how I can grant roles to groups anymore. It seems I need
>> an extra mechanism to grant permissions (as I used to do that using
>> LDAP groups).
>> I am wondering if anyone is willing to share their experience dealing
>> with Keystone and OpenID.
>> Thanks!
>> Francois (frigo)

More information about the openstack-discuss mailing list