Comment 1 for bug 1648580

Revision history for this message
Steve Martinelli (stevemar) wrote :

Hi Joe,

Sorry for taking a while to triage, looking into this now. Do you recall the keystoneclient and openstackclient versions that last worked?

IIRC we did do some minor refactoring of the OIDC code in keystoneauth. Looking at the code now, it seems the following are required: username and password [1], and any combination of: client-id, client-secret, openid-scope, access-token-endpoint, discovery-endpoint, access-token-type. [2] This is in addition to: idp, protocol, project, and auth-url.

Looking at the exact signature...

class OidcPassword(_OidcBase):
    """Implementation for OpenID Connect Resource Owner Password Credential."""

    grant_type = "password"

    @positional(4)
    def __init__(self, auth_url, identity_provider, protocol,
                 client_id, client_secret,
                 access_token_endpoint=None,
                 discovery_endpoint=None,
                 access_token_type='access_token',
                 username=None, password=None,
                 **kwargs):

I believe passing in client_secret is required, but looking at what you pasted, it's not there? Were you including that before? I don't see any logic for grabbing that from another place. Can you try adding --os-client-secret foo to your `token issue` command and see if you get past your error?

[1] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L141-L156

[2] https://github.com/openstack/keystoneauth/blob/42a6bf8dfc5257ce189d76d912f6a9ee568cd055/keystoneauth1/loading/_plugins/identity/v3.py#L93-L124