v3oidcpassword federated login error (argument count)

Hi Joe,

Sorry for taking a while to triage, looking into this now. Do you recall the keystoneclient and openstackclient versions that last worked?

IIRC we did do some minor refactoring of the OIDC code in keystoneauth. Looking at the code now, it seems the following are required: username and password [1], and any combination of: client-id, client-secret, openid-scope, access-token-endpoint, discovery-endpoint, access-token-type. [2] This is in addition to: idp, protocol, project, and auth-url.

Looking at the exact signature...

class OidcPassword(_OidcBase):
    """Implementation for OpenID Connect Resource Owner Password Credential."""

    grant_type = "password"

    @positional(4)
    def __init__(self, auth_url, identity_provider, protocol,
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 username=None, password=None,
                 **kwargs):

I believe passing in client_secret is required, but looking at what you pasted, it's not there? Were you including that before? I don't see any logic for grabbing that from another place. Can you try adding --os-client-secret foo to your `token issue` command and see if you get past your error?

[1] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L141-L156

[2] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L93-L124

Hello Steve,

I am able to reproduce a very similar comportment as Joe reported.

Name: python-keystoneclient
Version: 3.10.0
Name: python-openstackclient
Version: 3.8.1
Name: keystoneauth1
Version: 2.18.0

$ openstack token issue \
 --os-auth-type v3oidcpassword \
 --os-auth-url http://keystone:5000/v3 \
 --os-identity-provider idp \
 --os-protocol oidc \
 --os-client-id CLIENTID \
 --os-client-secret CLIENTSECRET \
 --os-discovery-endpoint https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration \
 --os-username USER \
 --os-password PASSWD \
 --debug

options: Namespace(access_token='***', access_token_endpoint='', access_token_type='', auth_type=u'v3oidcpassword', auth_url=u'http://keystone:5000/v3', cacert=None, cert='', client_id=u'CLIENTID', client_secret=***'CLIENTSECRET', cloud='', code='', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint=u'https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration', domain_id='', domain_name='', endpoint='', identity_provider=u'idp', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='2', passcode='', password=***'PASSWD', project_domain_id='default', project_domain_name='', project_id='a41cafce0fd34990b2c0992001051745', project_name='admin', protocol=u'oidc', redirect_uri='', region_name='RegionOne', timing=False, token='***', trust_id='', url='', user_domain_id='default', user_domain_name='Default', user_id='', username=u'USER', verbose_level=3, verify=None)
Auth plugin v3oidcpassword selected
auth_config_hook(): {'auth_type': u'v3oidcpassword', 'beta_command': False, u'compute_api_version': u'2', 'client_id': u'CLIENTID', u'database_api_version': u'1.0', 'cacert': None, 'auth_url': u'http://keystone:5000/v3', u'network_api_version': u'2', 'protocol': u'oidc', u'message': u'', u'image_format': u'qcow2', 'discovery_endpoint': u'https://ID_HOST/openam/oauth2/REALM/.well-known/openid-configuration', 'networks': [], u'image_api_version': u'2', 'verify': True, 'identity_provider': u'idp', u'dns_api_version': u'2', u'object_store_api_version': u'1', 'username': u'USER', u'container_infra_api_version': u'1', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {'project_id': 'a41cafce0fd34990b2c0992001051745', 'user_domain_name': 'Default', 'project_name': 'admin', 'user_domain_id': 'default', 'project_domain_id': 'default'}, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', u'application_catalog_api_version': u'1', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', u'orchestration_api_version': u'1', u'identity_api_version': '3', u'volume_api_version': '2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'debug': True, 'client_se...

ello,

i'm experiencing the same issue

keystoneauth1 3.14.0
openstacksdk 0.31.1
python-keystoneclient 3.19.0
python-openstackclient 3.19.0

openstack token issue
__init__() takes at least 6 arguments (8 given)

export OS_AUTH_TYPE=v3oidcpassword
export OS_AUTH_URL="https://keystone.mydomain.com:5000/v3"
export OS_IDENTITY_PROVIDER=idp
export OS_CLIENT_ID="client-id"
export OS_PROTOCOL=oidc
export OS_DISCOVERY_ENDPOINT='https://idm.mydomain.com/auth/realms/idp/protocol/openid-connect/token'
export OS_USERNAME=myuser
export OS_PASSWORD=mypwd
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_INTERFACE="public"

Did someone find a solution?

Regards

Flavio