Open Stack

Dear all.

This has been a long time ago since we implemented this, so I had to
refresh my mind. Also, long time without contributing to OpenStack.

See my responses inline.

> On 16/02/2022 15:45, Jose Castro Leon wrote:
>
> > We are preparing something based on keystoneauth1 that uses an
> > authorization code grant in OIDC that will send you an url address to
> > the client so they can do the SSO there and receive a validation code.
> > Then you input the validation code in the CLI and receive an OIDC.
> > 
> > Once it receives the OIDC access token and refresh token, we cache them
> > on the filesystem for subsequent calls.
> > 
> > The idea was to contribute it upstream once we clean it up a bit
> > 
> > Cheers
> > Jose
> 
> Jose, could you maybe give an update on your endeavors? Do you have your
> code public anywhere?
> Do you still plan to upstream this code?

So far the first part is already implemented, using the Client
Credentials grant type:

    https://github.com/openstack/keystoneauth/commit/e5fd66ca35424108ca0c1234119d57dca85c93f7

The part about storing the access and refresh tokens on disk was never
addressed though.

> There likely would have to be a spec first do do any major change / addition
> to keystone auth capabilties.
> But there already are some specs / ideas discussing the OIDC integration:
> 
>  * https://opendev.org/openstack/keystone-specs/src/branch/master/specs/keystone/backlog/oidc-improved-support.rst

We implemented a prototype plugin for the Keystone server here:

    https://github.com/IFCA/keystone-oidc-auth-plugin

And the client part here:

    https://github.com/IFCA/keystone-oidc-auth-plugin

However, this was blocked due to this issue, that IIRC was introduced
when Keystone removed the custom WSGI stack.

    https://bugs.launchpad.net/keystone/+bug/1854041
    https://review.opendev.org/c/openstack/keystone/+/754694

> I certainly understand that my naive initial question about fetching a
> v3oidcaccesstoken and use it comes way short of the actually intended 
> authentication flows,
> such as using existing SSO (via PKCE) and then receiving the callback. But
> also making use of refresh tokens, handling expired tokens, ...

We had that interest too, but to be honest then we quit.

However, I think that there is still a better approach, that is to use
an OpenID Connect agent (that handles all the nasty handling of tokens)
and then using the keystonauth1 v3oidcaccesstoken plugin, modifying it
to get the token from the agent:

    https://github.com/indigo-dc/oidc-agent

We have implemented this internally, and it has been a long time since
we implemented it, but I think that I can test it (tomorrow CEST) and
try to prepare a patch, also writing some documentation, if that helps.
If there is some movement arount it will be easier to get things merged.

Best,
-- 
Álvaro López García
Advanced Computing and e-Science Group
Instituto de Física de Cantabria (IFCA) - CSIC - UC
Ed. Juan Jordá, Avda. de los Castros s/n - 39005 Santander (SPAIN)
phone: (+34) 942 201 537 | skype: aloga.csic | keybase.io: aloga
http://alvarolopez.github.io
==
I understand.
> Because it reverses the logical flow of conversation.
>> Why is top posting frowned upon?
>>> Please do not top-post in email replies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230125/dce9b9d9/attachment-0001.sig>