OpenID Connect support for authorization code seems to be incomplete
Bug #1583961 reported by
Alvaro Lopez
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
Triaged
|
Medium
|
Unassigned |
Bug Description
The OpenID Connect support for the "authorization code" grant type requires two steps for obtaining an access token.
1.- An authorization code needs to be obtained from the authorization endpoint.
2.- The authorization code is exchanged with the access token endpoint to obtain an access token.
Currently, the oidc plugin only implements 2. Moreover, the authorization code a single-use secret, so it seems that support is incomplete, as the user must obtain a new auth. code each time.
Changed in keystoneauth: | |
assignee: | nobody → Alvaro Lopez (aloga) |
Changed in keystoneauth: | |
status: | Triaged → In Progress |
tags: | added: oidc |
Changed in keystoneauth: | |
assignee: | Alvaro Lopez (aloga) → Jamie Lennox (jamielennox) |
Changed in keystoneauth: | |
assignee: | Jamie Lennox (jamielennox) → Alvaro Lopez (aloga) |
To post a comment you must log in.
OK, I get the problem... a user gets the authorization codes via a browser, the codes are one-time use. If used via openstackclient, these authorization codes are used up after every command. So the user would have to get a user authorization code after every osc command. definitely not ideal!