v3oidcpassword federated login error (argument count)

Bug #1648580 reported by Joe Godscale on 2016-12-08
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
New
Undecided
Unassigned

Bug Description

I try to login via an IdP account using OIDC:

openstack \
 --os-auth-type v3oidcpassword \
 --os-auth-url http://keystone:5000/v3 \
 --os-identity-provider idp \
 --os-protocol oidc \
 --os-client-id openid-client \
 --os-discovery-endpoint https://myidp/auth/.well-known/openid-configuration \
 --os-username USER \
 --os-password PASSWD \
 --os-domain-name Default \
 --os-project-name admin \
 --debug

When I enter "token issue", I receive the following error:

Deferring keystone exception: __init__() takes at least 6 arguments (8 given)
command: token issue -> openstackclient.identity.v3.token.IssueToken
__init__() takes at least 6 arguments (8 given)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/cliff/app.py", line 393, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/site-packages/openstackclient/shell.py", line 198, in prepare_to_run_command
    return super(OpenStackShell, self).prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/site-packages/osc_lib/shell.py", line 429, in prepare_to_run_command
    self.client_manager.setup_auth()
  File "/usr/local/lib/python2.7/site-packages/openstackclient/common/clientmanager.py", line 78, in setup_auth
    self._cli_options.config,
  File "/usr/local/lib/python2.7/site-packages/openstackclient/common/client_config.py", line 196, in load_auth_plugin
    auth_plugin = loader.load_from_options(**config['auth'])
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/loading/_plugins/identity/v3.py", line 91, in load_from_options
    return super(_OpenIDConnectBase, self).load_from_options(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/loading/identity.py", line 100, in load_from_options
    return super(BaseV3Loader, self).load_from_options(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/loading/base.py", line 165, in load_from_options
    return self.create_plugin(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/keystoneauth1/loading/base.py", line 125, in create_plugin
    return self.plugin_class(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
TypeError: __init__() takes at least 6 arguments (8 given)
clean_up IssueToken: __init__() takes at least 6 arguments (8 given)
__init__() takes at least 6 arguments (8 given)

The setup works with Horizon and I also successfully received a token in the past, but not anymore (possibly due to an update). Any hints?

Name: python-keystoneclient
Version: 3.8.0
Name: python-openstackclient
Version: 3.4.1

summary: - v3oidcpassword federated login argument count error
+ v3oidcpassword federated login error (argument count)
Steve Martinelli (stevemar) wrote :

Hi Joe,

Sorry for taking a while to triage, looking into this now. Do you recall the keystoneclient and openstackclient versions that last worked?

IIRC we did do some minor refactoring of the OIDC code in keystoneauth. Looking at the code now, it seems the following are required: username and password [1], and any combination of: client-id, client-secret, openid-scope, access-token-endpoint, discovery-endpoint, access-token-type. [2] This is in addition to: idp, protocol, project, and auth-url.

Looking at the exact signature...

class OidcPassword(_OidcBase):
    """Implementation for OpenID Connect Resource Owner Password Credential."""

    grant_type = "password"

    @positional(4)
    def __init__(self, auth_url, identity_provider, protocol,
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 username=None, password=None,
                 **kwargs):

I believe passing in client_secret is required, but looking at what you pasted, it's not there? Were you including that before? I don't see any logic for grabbing that from another place. Can you try adding --os-client-secret foo to your `token issue` command and see if you get past your error?

[1] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L141-L156

[2] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L93-L124

Dean Troyer (dtroyer) on 2017-02-02
Changed in python-openstackclient:
status: New → Incomplete
Aurelien Joga (aurelienjoga) wrote :
Download full text (12.8 KiB)

Hello Steve,

I am able to reproduce a very similar comportment as Joe reported.

Name: python-keystoneclient
Version: 3.10.0
Name: python-openstackclient
Version: 3.8.1
Name: keystoneauth1
Version: 2.18.0

$ openstack token issue \
 --os-auth-type v3oidcpassword \
 --os-auth-url http://keystone:5000/v3 \
 --os-identity-provider idp \
 --os-protocol oidc \
 --os-client-id CLIENTID \
 --os-client-secret CLIENTSECRET \
 --os-discovery-endpoint https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration \
 --os-username USER \
 --os-password PASSWD \
 --debug

options: Namespace(access_token='***', access_token_endpoint='', access_token_type='', auth_type=u'v3oidcpassword', auth_url=u'http://keystone:5000/v3', cacert=None, cert='', client_id=u'CLIENTID', client_secret=***'CLIENTSECRET', cloud='', code='', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint=u'https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration', domain_id='', domain_name='', endpoint='', identity_provider=u'idp', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='2', passcode='', password=***'PASSWD', project_domain_id='default', project_domain_name='', project_id='a41cafce0fd34990b2c0992001051745', project_name='admin', protocol=u'oidc', redirect_uri='', region_name='RegionOne', timing=False, token='***', trust_id='', url='', user_domain_id='default', user_domain_name='Default', user_id='', username=u'USER', verbose_level=3, verify=None)
Auth plugin v3oidcpassword selected
auth_config_hook(): {'auth_type': u'v3oidcpassword', 'beta_command': False, u'compute_api_version': u'2', 'client_id': u'CLIENTID', u'database_api_version': u'1.0', 'cacert': None, 'auth_url': u'http://keystone:5000/v3', u'network_api_version': u'2', 'protocol': u'oidc', u'message': u'', u'image_format': u'qcow2', 'discovery_endpoint': u'https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration', 'networks': [], u'image_api_version': u'2', 'verify': True, 'identity_provider': u'idp', u'dns_api_version': u'2', u'object_store_api_version': u'1', 'username': u'USER', u'container_infra_api_version': u'1', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {'project_id': 'a41cafce0fd34990b2c0992001051745', 'user_domain_name': 'Default', 'project_name': 'admin', 'user_domain_id': 'default', 'project_domain_id': 'default'}, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', u'application_catalog_api_version': u'1', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', u'orchestration_api_version': u'1', u'identity_api_version': '3', u'volume_api_version': '2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'debug': True, 'client_se...

Changed in python-openstackclient:
status: Incomplete → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers