Custom Auth plugin for openID Connect
With Keystone acting as a service provider, and non-openstack service running as an identity provider, a user registered in the identity provider should be able to retrieve a keystone token via openid connect.
- Incoming keystone auth request would be project or domain scoped, and have some openid connect related info
- Keystone would have to be set up to issue a request to the open id connect provider. (like the ec2 or proposed kerberos auth plugins)
- Keystone would have to know the IdP's authentication endpoints (in the conf file)
- An openId connect implicit flow would be used.
- The information returned from the identity provider (claim) would include group information.
- Return a project or domain scoped keystone token by checking those groups roles.
More info here: https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Steve Martinelli
- Direction:
- Needs approval
- Assignee:
- Steve Martinelli
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
POC - Add openID Connect auth plugin