[Keystone | python-openstackclient] Fedartion with OAuth2.0/OIDC
Niklas Schwarz
niklas.schwarz at inovex.de
Mon Jan 30 14:21:06 UTC 2023
Hey there,
I'm currently investigating the features of openstack federated identity
and oauth2/oidc with keycloak as an identity provider.
Following the documentation [1] I have successfully deployed a setup where
it is possible to login via the horizion board using
the login of keycloak.
As defined in the documentation I'm using apache2 with the mod_auth_openidc
module.
So far so good...
If I try to access the api via the openstack-cli using the following
configuration
```
OS_AUTH_URL=https://<openstack-ip>/identity/v3
OS_AUTH_TYPE=v3oidcpassword
OS_IDENTITY_PROVIDER=keycloak
OS_PROTOCOL=openid
OS_USERNAME=<keycloak-user>
OS_PASSWORD=<keycloak-password>
OS_PROJECT=test
OS_OPENID_SCOPE='openid email profile'
OS_DISCOVERY_ENDPOINT=https://
<keycloak-ip>/realms/<realm>/.well-known/openid-configuration
OS_ACCESS_TOKEN_TYPE=access_token
OS_CLIENT_ID=<client-id>
OS_CLIENT_SECRET=<client-secret>
```
the http-status-code of the server is 500. Inspecting the logs , I found
the problem in the mod_auth_openidc modul
which expects a content-type of application/x-www-form-urlencoded. Is there
any way to change the content-type
the openstack-cli from json to urlencoded or am I missing a step in the
configuration or something else?
Thanks in advanced
Niklas
[1]
https://docs.openstack.org/keystone/zed/admin/federation/configure_federation.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230130/fbb6d5e3/attachment.htm>
More information about the openstack-discuss
mailing list