OpenID Connect support for authorization code seems to be incomplete

OK, I get the problem... a user gets the authorization codes via a browser, the codes are one-time use. If used via openstackclient, these authorization codes are used up after every command. So the user would have to get a user authorization code after every osc command. definitely not ideal!

first attempt: https://review.openstack.org/#/c/330006/1

@Steve, that's it. If the user is accessing OpenStack 100 times, 100 browser tabs/windows will be opened. In most cases authentication will be done manually (i.e. log in) only once, as subsequent requests will be authenticated if the user does not log out.

The access token can be reused (as long as it is still valid), so the only way to not ask for authentication each time is to persist the access token from session to session and detect if a valid token is there. The token can be persisted to disk but this may have security concerns.

Automatically unassigning due to inactivity.

Change abandoned by Alvaro Lopez Garcia (<email address hidden>) on branch: master
Review: https://review.openstack.org/330006
Reason: Lets abandon this until I try to figure out what the best (or correct) approach would be.

Reassigning this to me, as the bug is still valid. The inactivity on the bug itself is not due to actual inactivity, but due to discussions going in the background...

Alvaro,

Do you have any update on the discussions needed to solve this? If there is something we need to come to consensus on as a group, please feel free to add it to the agenda for the weekly keystone meeting [0].

[0] https://etherpad.openstack.org/p/keystone-weekly-meeting

Automatically unassigning due to inactivity.

I suggest to get inpiration from https://github.com/int128/kubelogin. They implement the Authorization Code flow correctly and include a local cache of the received token.