This is an authentication plugin for OpenStack clients (namely for the keystoneauth1 library) which provides client support for authentication against an OpenStack Keystone server configured to support OpenID Connect using Apache's mod_auth_openidc, as described below.
This plugin will allow you to authenitcate with a keystone server that is
configured to use openid
as an auth option on /etc/keystone/keystone.conf
Install it via pip:
pip install keystoneauth-websso
Or clone the repo and install it:
git clone https://github.com/vexxhost/keystoneauth-websso
cd keystoneauth-websso
pip install .
The <identity-provider>
and <protocol>
must be provided by the OpenStack
cloud provider.
-
Unscoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \ --os-auth-type v3websso \ --os-identity-provider <identity-provider> \ --os-protocol <protocol> \ --os-identity-api-version 3 \ token issue
-
Scoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \ --os-auth-type v3websso \ --os-identity-provider <identity-provider> \ --os-protocol <protocol> \ --os-project-name <project> \ --os-project-domain-name <project-domain> \ --os-identity-api-version 3 \ --os-openid-scope "openid profile email" \ token issue
export OS_AUTH_TYPE=v3websso
export OS_AUTH_URL=https://keystone.example.org:5000/v3
export OS_IDENTITY_PROVIDER='<keystone-identity-provider>'
export OS_PROTOCOL=openid
-
Unscoped token:
clouds: my_cloud: auth_type: v3websso auth_url: https://keystone.example.org:5000/v3 identity_provider: <keystone-identity-provider> protocol: openid
-
Scoped token:
clouds: my_cloud: auth_type: v3websso auth_url: https://keystone.example.org:5000/v3 identity_provider: <keystone-identity-provider> protocol: openid auth: project_name: <project-name> project_domain_name: <domain-name>
invoke using
OS_CLOUD=my_cloud openstack token issue
keystone configuration consists of the keystone.conf (as well as any domain-specific configs) and the Apache2 wsgi configuration.
http://localhost:9990/auth/websso/ needs to be added as a "Trusted Dashboard"
[federation]
trusted_dashboard=http://your-horizon-dashboard/auth/websso/
trusted_dashboard=http://localhost:9990/auth/websso/
There are 2 required "protected" Locations that need to be created.
-
1 Global redirect URL
<Location /v3/auth/OS-FEDERATION/identity_providers/redirect> AuthType openid-connect Require valid-user </Location>
-
1 Location that is used for websso authentication. This is specific to the target OpenStack Keystone Identity Provider. See callback_template for more information
<Location /v3/auth/OS-FEDERATION/identity_providers/<IDP-name>/protocols/openid/websso> Require valid-user AuthType openid-connect OIDCDiscoverURL http://localhost:15000/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=<url-encoded-issuer> </Location>
For detailed configuration of mod_auth_oidc with Keycloak, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Keycloak