I tested the changes with v3oidcaccesstoken but I have realized that there are bits missing with the password grant type classes, both in keystoneauth (not accepting kwargs for specifying scope) and in python-openstackclient (setting the scope parameter "user_domain_id"). I will upload several patches that will fix that, with a reference to this bug.
However, you are also missing several configuration parameters in your clouds.yaml that are required for OIDC when using the password credentials grant type:
- protocol: The configured protocol for the IdP that you configured in Keystone.
- access_token_endpoint: The endpoint from your IdP where you can obtain an OIDC access token
- client_id: The client ID that you have configured at your IdP.
- client_secret: The client secret that corresponds to your client ID.
Hi all.
I tested the changes with v3oidcaccesstoken but I have realized that there are bits missing with the password grant type classes, both in keystoneauth (not accepting kwargs for specifying scope) and in python- openstackclient (setting the scope parameter "user_domain_id"). I will upload several patches that will fix that, with a reference to this bug.
However, you are also missing several configuration parameters in your clouds.yaml that are required for OIDC when using the password credentials grant type:
- protocol: The configured protocol for the IdP that you configured in Keystone. token_endpoint: The endpoint from your IdP where you can obtain an OIDC access token
- access_
- client_id: The client ID that you have configured at your IdP.
- client_secret: The client secret that corresponds to your client ID.
Hope this helps.