python-openstackclient

  1. Bug #1582774
  2. Comment #10

Comment 10 for bug 1582774

Revision history for this message
Alvaro Lopez (aloga) wrote : Re: OidcPassword auth plugin should accept scope parameters

Hi all.

I tested the changes with v3oidcaccesstoken but I have realized that there are bits missing with the password grant type classes, both in keystoneauth (not accepting kwargs for specifying scope) and in python-openstackclient (setting the scope parameter "user_domain_id"). I will upload several patches that will fix that, with a reference to this bug.

However, you are also missing several configuration parameters in your clouds.yaml that are required for OIDC when using the password credentials grant type:

 - protocol: The configured protocol for the IdP that you configured in Keystone.
 - access_token_endpoint: The endpoint from your IdP where you can obtain an OIDC access token
 - client_id: The client ID that you have configured at your IdP.
 - client_secret: The client secret that corresponds to your client ID.

Hope this helps.