GitLocker: The Coding Marketplace

Description:

keystoneauthwebsso 0.1.1

OpenID Connect support for OpenStack clients

Quick Reference

Installation
Usage-CLI
Usage-stackrc file
Usage-clouds.yml
Keystone server configuration

This is an authentication plugin for OpenStack clients (namely for
the keystoneauth1 library) which
provides client support for authentication against an OpenStack Keystone server
configured to support OpenID Connect using Apache's
mod_auth_openidc, as described
below.
Description
v3websso plugin
This plugin will allow you to authenitcate with a keystone server that is
configured to use openid as an auth option on /etc/keystone/keystone.conf
Installation
Install it via pip:
pip install keystoneauth-websso

Or clone the repo and install it:
git clone https://github.com/vexxhost/keystoneauth-websso
cd keystoneauth-websso
pip install .

Usage
v3websso plugin
The <identity-provider> and <protocol> must be provided by the OpenStack
cloud provider.
1. Pass as command line option

Unscoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \
--os-auth-type v3websso \
--os-identity-provider <identity-provider> \
--os-protocol <protocol> \
--os-identity-api-version 3 \
token issue

Scoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \
--os-auth-type v3websso \
--os-identity-provider <identity-provider> \
--os-protocol <protocol> \
--os-project-name <project> \
--os-project-domain-name <project-domain> \
--os-identity-api-version 3 \
--os-openid-scope "openid profile email" \
token issue

2. Add to stackrc file
export OS_AUTH_TYPE=v3websso
export OS_AUTH_URL=https://keystone.example.org:5000/v3
export OS_IDENTITY_PROVIDER='<keystone-identity-provider>'
export OS_PROTOCOL=openid

3. Add to clouds.yml

Unscoped token:
clouds:
my_cloud:
auth_type: v3websso
auth_url: https://keystone.example.org:5000/v3
identity_provider: <keystone-identity-provider>
protocol: openid

Scoped token:
clouds:
my_cloud:
auth_type: v3websso
auth_url: https://keystone.example.org:5000/v3
identity_provider: <keystone-identity-provider>
protocol: openid
auth:
project_name: <project-name>
project_domain_name: <domain-name>

invoke using
OS_CLOUD=my_cloud openstack token issue

Keystone Server config
keystone configuration consists of the keystone.conf (as well as any domain-specific configs) and the Apache2 wsgi configuration.
Configure /etc/keystone/keystone.conf
http://localhost:9990/auth/websso/ needs to be added as a "Trusted Dashboard"
[federation]
trusted_dashboard=http://your-horizon-dashboard/auth/websso/
trusted_dashboard=http://localhost:9990/auth/websso/

Configure wsgi-keystone.conf
There are 2 required "protected" Locations that need to be created.

1 Global redirect URL
<Location /v3/auth/OS-FEDERATION/identity_providers/redirect>
AuthType openid-connect
Require valid-user
</Location>

1 Location that is used for websso authentication. This is specific to the target OpenStack Keystone Identity Provider. See callback_template for more information
<Location /v3/auth/OS-FEDERATION/identity_providers/<IDP-name>/protocols/openid/websso>
Require valid-user
AuthType openid-connect
OIDCDiscoverURL http://localhost:15000/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=<url-encoded-issuer>
</Location>

For detailed configuration of mod_auth_oidc with Keycloak, see:
https://github.com/OpenIDC/mod_auth_openidc/wiki/Keycloak