Requesting a scoped token when using x509 authentication is redundant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned |
Bug Description
In order to get a project-scoped token with an x509 certificate (not tokenless authentication), I need to specify X-Project-Id in the request header and I need to specify the project in the scope of the request body.
If I leave out the header (e.g., X-Project-Id) but keep the scope in the request body, the request fails with an HTTP 400 validation error [1]. If I leave the request body unscoped and keep the X-Project-Id header in the request, it is ignored an I get back an unscoped token [2].
It seems redundant to have to specify both to get a scoped token.
[0] https:/
[1] https:/
[2] https:/
tags: | added: x509 |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: user-experience |
I think this is an invalid use case. X.509 certificate based authentication is not meant to be used with external auth. It is designed to be a federation protocol and hence using the federation workflow.