keystoneauth

oidc plugins should check for their required options

Bug #1593192 reported by Alvaro Lopez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
In Progress
Low
Unassigned

Bug Description

With the myriad of options for the openid connect providers it is easy to forget to add one or several options. The code should make use of the load_from_options() method from the loader, and raise exceptions if not all the options are being defined.

Alvaro Lopez (aloga)
Changed in keystoneauth:
assignee: nobody → Alvaro Lopez (aloga)
Revision history for this message
Steve Martinelli (stevemar) wrote :

Sounds like a nice UX improvement

Changed in keystoneauth:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Jamie Lennox (jamielennox) wrote :

Agreed, but load_from_opts is from the caller. who isn't using it in ksa?

Alvaro Lopez (aloga)
tags: added: oidc
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystoneauth:
assignee: Alvaro Lopez (aloga) → nobody
Revision history for this message
Jamie Lennox (jamielennox) wrote :

This came up with a user recently - yes, we absolutely need this but you shouldn't have to fix the problem in load_from_opts. You should simply be able to put required=True on the plugin loader options that are required.

The most obvious one of these is access-token in OidcAccessToken, if you don't specify required here you get an error because you aren't passing enough options to the loader, but I'm suspecting that there are a number of other options in that file that also need to be marked.

Alvaro or Steve - you guys understand this better than I, can you go through the OIDC loaders and just put required=True next to required options.

Steve Martinelli (stevemar)
tags: added: user-experience
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/392198

Changed in keystoneauth:
assignee: nobody → Steve Martinelli (stevemar)
status: Triaged → In Progress
Revision history for this message
Steve Martinelli (stevemar) wrote :

i put up https://review.openstack.org/#/c/392198/

Revision history for this message
Alvaro Lopez (aloga) wrote :

Oops, sorry I missed this... Jamie, thanks for the explanation, and Steve, thanks for the patch!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/392198
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=827895281ba2d0a1786ee92ad859414de1dbe64b
Submitter: Jenkins
Branch: master

commit 827895281ba2d0a1786ee92ad859414de1dbe64b
Author: Steve Martinelli <email address hidden>
Date: Tue Nov 1 11:12:12 2016 -0400

    mark a few oidc parameters as required

    to better the user experience, mark a few of the open id connect
    options as required, users should get back more meaningful
    error messages.

    as part of the change, there was also a discrepancy between what
    the loader used for the authorization code, and what the plugin
    was using. deprecate the old loader option (authorization-code)
    in favor of the one used by the plugin (code).

    Change-Id: I18318ef44f99e4f973176dd99b61770b1151f7a0
    Partial-Bug: 1593192

Steve Martinelli (stevemar)
Changed in keystoneauth:
assignee: Steve Martinelli (stevemar) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.