OpenStack Identity (keystone)

Custom Auth plugin for openID Connect

Registered by Steve Martinelli

This blueprint has been superseded. See the newer blueprint "OpenID connect as A Federated IdP protocol" for updated plans.

With Keystone acting as a service provider, and non-openstack service running as an identity provider, a user registered in the identity provider should be able to retrieve a keystone token via openid connect.

- Incoming keystone auth request would be project or domain scoped, and have some openid connect related info
- Keystone would have to be set up to issue a request to the open id connect provider. (like the ec2 or proposed kerberos auth plugins)
- Keystone would have to know the IdP's authentication endpoints (in the conf file)
- An openId connect implicit flow would be used.
- The information returned from the identity provider (claim) would include group information.
- Return a project or domain scoped keystone token by checking those groups roles.

More info here: https://etherpad.openstack.org/p/openidconnect

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Steve Martinelli
Direction:
Needs approval
Assignee:
Steve Martinelli
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Steve Martinelli

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/auth-plugin-openid-connect,n,z

Addressed by: https://review.openstack.org/61662
    POC - Add openID Connect auth plugin

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.