[keystone] Re: openstack client integration to fetch and provide OIDC access tokens (v3oidcaccesstoken)?
Christian Rohmann
christian.rohmann at inovex.de
Tue Jan 24 20:45:07 UTC 2023
Hey Jon, all,
Jose, Nikolla, Francois: You did discuss about the current state of
using OIDC with keystone and about a secure flow to
use existing SSO and only provide tokens to the openstack cli in
https://lists.openstack.org/pipermail/openstack-discuss/2022-February/027313.html,
sorry I did not find this prior to me posting and asking about this.
I took the liberty to CC you. Alvaro you did apparently write up the
below referenced spec about improving on the OIDC support in keystone so
I CCed you as well.
1)
On 16/02/2022 15:45, Jose Castro Leon wrote:
> Hi,
> We are preparing something based on keystoneauth1 that uses an
> authorization code grant in OIDC that will send you an url address to
> the client so they can do the SSO there and receive a validation code.
> Then you input the validation code in the CLI and receive an OIDC.
>
> Once it receives the OIDC access token and refresh token, we cache
> them on the filesystem for subsequent calls.
>
> The idea was to contribute it upstream once we clean it up a bit
>
> Cheers
> Jose
Jose, could you maybe give an update on your endeavors? Do you have your
code public anywhere?
Do you still plan to upstream this code?
2)
On 23/01/2023 13:59, Jonathan Rosser wrote:
> If my memory serves correctly I did approach the Keystone team in IRC
> to have one of my developers contribute better support for OIDC in
> keystoneauth, but there was a preference for a much more significant
> rewrite of parts of keystone. Unfortunately time has passed and I
> think that an external plugin is still needed for a secure OIDC cli
> experience using a modern auth flow.
That is exactly where we ended up when diving deeper into the existing
OIDC capabilities :-)
Would you then consider contributing your code upstream?
3)
There likely would have to be a spec first do do any major change /
addition to keystone auth capabilties.
But there already are some specs / ideas discussing the OIDC integration:
*
https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keystone/backlog/oidc-improved-support.rst
* less related, but quite recent:
https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keystone/2023.1/support-oauth2-mtls.rst
4)
I certainly understand that my naive initial question about fetching a
v3oidcaccesstoken and use it comes way short of the actually intended
authentication flows,
such as using existing SSO (via PKCE) and then receiving the callback.
But also making use of refresh tokens, handling expired tokens, ...
My intention is simply to revive the discussion around this topic and to
potentially join forces / code to make keystone,
keystoneauth1 and the openstack clients integrate nicely and securely
with (existing) OIDC infrastructure and flows
Regards
Christian
More information about the openstack-discuss
mailing list