Keystone should propagate redirect exceptions from auth plugins

It would be great to get more information, like the link to the code for your auth plugin so that someone can reproduce it, and specifics on which versions of keystone this used to work for. If this behavior changed when Flask was introduced, that's definitely a regression we should fix.

Hi Colleen.

Sorry for my silence.

The code for the plugin (work in progress) is here: https://github.com/IFCA/keystone-oidc-auth-plugin/

Alvaro, can you confirm what version of keystone you were using when this worked for you, and what version you're using now that doesn't work?

Hi Collen.

Unfortunately I do not remember the version, but it was before Flask's migration, IIRC. Currently we are testing with the R, S and T releases.

Best.

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Fix proposed to branch: master
Review: https://review.opendev.org/754694

Any chances that this bug (and solution) gets some attention?

Reviewed: https://review.opendev.org/c/openstack/keystone/+/754694
Committed: https://opendev.org/openstack/keystone/commit/1c106f48b05d45e87ecdfbda1586d9456d818f7e
Submitter: "Zuul (22348)"
Branch: master

commit 1c106f48b05d45e87ecdfbda1586d9456d818f7e
Author: ferag <email address hidden>
Date: Thu Nov 21 11:34:40 2019 +0000

    Propagate redirect exceptions to the client

    When a developer is implementing an Authentication plugin, in some cases
    (like an OpenID Connect plugin) it is needed to perform a redirect to
    the provider to complete the flow. This was possible in the past (before
    moving to Flask) by raising an exception with the proper HTTP code set,
    but the framework change made this possibility not available anymore.

    Closes-Bug: #1854041
    Co-authored-by: Alvaro Lopez Garcia <email address hidden>
    Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc

This issue was fixed in the openstack/keystone 25.0.0.0rc1 release candidate.