Requesting a scoped token when using x509 authentication is redundant
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
In order to get a project-scoped token with an x509 certificate (not tokenless authentication), I need to specify X-Project-Id in the request header and I need to specify the project in the scope of the request body.
If I leave out the header (e.g., X-Project-Id) but keep the scope in the request body, the request fails with an HTTP 400 validation error [1]. If I leave the request body unscoped and keep the X-Project-Id header in the request, it is ignored an I get back an unscoped token [2].
It seems redundant to have to specify both to get a scoped token.
[0] https:/
[1] https:/
[2] https:/
| tags: | added: x509 |
| Changed in keystone: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| tags: | added: user-experience |
| Guang Yee (guang-yee) wrote | #1 |
| Guang Yee (guang-yee) wrote | #2 |
| Colleen Murphy (krinkle) wrote | #3 |
I think this is an invalid use case. X.509 certificate based authentication is not meant to be used with external auth. It is designed to be a federation protocol and hence using the federation workflow.