Thanks Jonathan for your response! On 23/01/2023 11:09, Jonathan Rosser wrote: > My team contributed patches to > https://github.com/IFCA/keystoneauth-oidc to use PKCE so that a client > ID and client secret do not need to be given to users. That sounds interesting - I suppose this patch would extend the auth plugins listed at https://docs.openstack.org/keystoneauth/latest/plugin-options.html#available-plugins ? Could you elaborate a little more on the architecture and auth workflow you have using this patch? Do you have any plans to push this upstream to become part of the standard plugins by any chance? Thanks again and with kind regards, Christian