keystoneauth

OpenID Connect plugins should support OpenID Connect Discovery

Bug #1583682 reported by Alvaro Lopez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Fix Released
Medium
Alvaro Lopez

Bug Description

Currently, the OpenID Connect plugins require the user to specify the access token endpoint for OpenID Connect. These plugins should allow users to specify the well-known location of an OpenID Connect Discovery Document, so that the access token endpoint and other OpenID related stuff can be obtained from it.

See

    https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

and

    https://developers.google.com/identity/protocols/OpenIDConnect#discovery

Tags: oidc
Alvaro Lopez (aloga)
Changed in keystoneauth:
assignee: nobody → Alvaro Lopez (aloga)
Revision history for this message
Steve Martinelli (stevemar) wrote :

that would be an excellent feature to have

Changed in keystoneauth:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/330464

Changed in keystoneauth:
status: Triaged → In Progress
Alvaro Lopez (aloga)
tags: added: oidc
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/330464
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=00746ea636f8cece848644100b5a340d062b61f4
Submitter: Jenkins
Branch: master

commit 00746ea636f8cece848644100b5a340d062b61f4
Author: Alvaro Lopez Garcia <email address hidden>
Date: Thu Jun 16 10:33:52 2016 +0200

    oidc: add discovery document support

    The OpenID Connect specifies that all providers must return a JSON
    discovery document [1] in a well-known location. We can let the user
    pass this document instead of the individual endpoints (i.e. token and
    authorization endpoint). Moreover, we can also check if the requested
    grant_type (implicit to the used plugin, and one of client_credentials,
    password, authorization_code) is supported by the provider before
    starting the auth flow.

    [1] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

    Fixes-bug: #1583682
    Change-Id: I24b7960b25ddcff45552c0ab5541d92122d1d560

Changed in keystoneauth:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.