application credentials "project ID" field is empty using SSO
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi
We found this issue testing the new application credential feature from Rocky dashboard. Our external user are using a SSO to get access to openstack, they are mapped correctly to an internal project. Unfortunately when they request a new application credential the "project ID" field is empty so they get this error message when they try to use the credential from the client:
$ openstack application credential list
need one of hex, bytes, bytes_le, fields, or int (HTTP 400) (Request-ID: req-12f90f0f-
As admin the user's app credential looks like this:
# openstack application credential list --user bb762ad156de46f
+------
| ID | Name | Project ID | Description | Expires At |
+------
| a7300cb18483411
+------
Any clue why we get a null Project ID using a SSO?
Cheers ant thanks!
Alvaro
summary: |
- application credentials "projec ID" field is empty using SSO + application credentials "project ID" field is empty using SSO |
tags: | added: keystone |
After some more debugging the issue seems to come from lack of project scoped token that horizon uses. credential create with an unscoped token, gives you an unscoped application token, which is useless.
I'm not sure that when using SSO, you should get a project scoped token when working with horizon, but in our case it seems we don't have one, and calling the keystone application_
fix is either to use project scoped token in horizon when using SSO; or when the application_ credential create is called, to get one and use the new scoped token to create the credential.