openstack client integration to fetch and provide OIDC access tokens (v3oidcaccesstoken)?
Jonathan Rosser
jonathan.rosser at rd.bbc.co.uk
Mon Jan 23 12:59:28 UTC 2023
Hi Christian,
We deploy openstack with keystone behind Apache and mod_oidc, using
Keycloak as an IdP with the client set as 'public' to enable PKCE.
We provide a 'helper' git repo to setup a correctly configured
virtualenv for users which also installs keystoneauth-oidc. A script in
that repo lets a user trigger the login flow (essentially openstack
<options> token issue) which launches a local browser window to complete
the SSO / 2FA process. Environment vars including OS_TOKEN are exported
by the script.
If my memory serves correctly I did approach the Keystone team in IRC to
have one of my developers contribute better support for OIDC in
keystoneauth, but there was a preference for a much more significant
rewrite of parts of keystone. Unfortunately time has passed and I think
that an external plugin is still needed for a secure OIDC cli experience
using a modern auth flow.
Jon.
On 23/01/2023 12:19, Christian Rohmann wrote:
> Thanks Jonathan for your response!
>
> On 23/01/2023 11:09, Jonathan Rosser wrote:
>> My team contributed patches to
>> https://github.com/IFCA/keystoneauth-oidc to use PKCE so that a
>> client ID and client secret do not need to be given to users.
>
> That sounds interesting - I suppose this patch would extend the auth
> plugins listed at
> https://docs.openstack.org/keystoneauth/latest/plugin-options.html#available-plugins
> ?
> Could you elaborate a little more on the architecture and auth
> workflow you have using this patch?
>
> Do you have any plans to push this upstream to become part of the
> standard plugins by any chance?
>
>
>
> Thanks again and with kind regards,
>
>
> Christian
>
>
>
>
More information about the openstack-discuss
mailing list