Federation Unable to handle multiple groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:
[
{
"local": [
{
},
"domain": {
}
],
"remote": [
{
},
{
},
{
]
}
]
}
]
and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.
{
"group_ids": [
"5207b97776
],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"name": "<email address hidden>"
},
"group_names": []
}
However, when the same flow is executed thru the OIDC I get the following error message
{"error": {"message": "Group ['5207b97776914
I looked into the util.py code and printed the groups that were coming into the validate_
validate_
2016-04-26 12:38:46.750572 25124 DEBUG keystone.
2016-04-26 12:38:46.750704 25124 DEBUG keystone.
2016-04-26 12:38:47.092780 25124 WARNING keystone.
(END)
it looks like the list is formed incorrectly
[u"['5207b97776
it should have been
[u'5207b9777691
Thanks,
Krishna
affects: | centos → ubuntu |
no longer affects: | ubuntu |
description: | updated |
Upon talking to Steve and Henry, This is really not a bug.
"user" : {
"name" : "{0}"
} ,
instead , to get the list of groups, group_ids have to be used.
[
{
"local": [
{
}
"type" : "HTTP_OIDC_EMAIL"
"type" : "HTTP_OIDC_GROUPS"
"type" : "HTTP_OIDC_ISS",
"any_ one_of" : [
"https:/ /idp.cisco. com/oauth2"
],
"remote": [
{
},
{
},
{
]
}
]
}
]
However, this only works in Mitaka since group_ids is not handled in liberty code.
since this is an important feature,
i'd like to request the utils.py code that handles group_ids in mitaka to be back ported to liberty.
THanks,
Krishna