Open Stack

Hey openstack-discuss,

while there is support for OpenID Connect and its various flows in the 
openstack client 
(https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html#envvar-OS_AUTH_TYPE).

I would like to have the user authenticate only with central IdP login 
via a web page and then receive an access token and not have each user's 
openstack cli be a full OIDC client handling credentials and 
authenticating against the IdP via the users password itself.

The tricky bit here is having good tooling for users to authenticate via 
the existing SSO and then to get and refresh tokens which are then fed 
to the openstack CLI. I was wondering if anybody knows of some nice 
integrations / plugins / hooks to make it easy for users to deal with 
the authentication (usually via some web site) and then to inject the 
token (v3oidcaccesstoken) into openstack-cli?

I found that Fedcloud.eu (https://www.fedcloud.eu/) does something like 
this (see https://fedcloudclient.fedcloud.eu/usage.html#authentication) 
via OIDC-Agent. But most platforms making use of OIDC seem to configure 
the openstack client with client_id and secret and have it authenticate 
directly with the IdP.


Regards,

Christian