OpenStack Identity (keystone)

Federation docs for OIDC recommend implicit grant

Bug #2027729 reported by Kristi Nikolla on 2023-07-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Undecided	Unassigned

Bug Description

The documentation for setting up OIDC says to use id_token in OIDCResponseType instead of code (or omitting the line entirely since code is the default).

https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring-apache-httpd-for-mod-auth-openidc

Using implicit grant is not recommended as https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-09

What is recommended is Authorization Code with PKCE.

Tags:

Revision history for this message

Sam Schmitt (samcat116) wrote on 2024-03-06:

Hello
Does Keystone currently support OIDC auth via Authorization Code with PKCE? I cannot find any documentation for configuring it. I'd like to use the openstack cli without specifying a client secret as we cannot distribute that secret to all users

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.