OpenID Connect plugin for Keystone authentication

This repository contains an OpenID Connect Implementation for the OpenStack Identity service (Keystone).

Installation

Install it via pip:

pip install keystone_oidc_auth_plugin

Configuration

In order to configure it you must enable it on the authentication methods in keystone.conf, and then specify to use the ifca plugin, for instance:

[auth]

# Allowed authentication methods. Note: You should disable the `external` auth
# method if you are currently using federation. External auth and federation
# both use the REMOTE_USER variable. Since both the mapped and external plugin
# are being invoked to validate attributes in the request environment, it can
# cause conflicts. (list value)
methods = password,token,openid

openid = ifca

Then, you can configure the global OpenID Connect specific options as follows:

[openid]

# The prefix to use when setting claims in the HTTP headers/environment
# variables. (string value)
#claim_prefix = OIDC_

# Value to be used to obtain the entity ID of the Identity Provider from the
# environment. Defaults to OIDC_iss. (string value)
#remote_id_attribute = OIDC_iss

# Default duration in seconds after which retrieved JWS should be refreshed.
# (integer value)
#jws_refresh_interval = 3600

Finally, you need to add a section for each of the Identity Providers (IdP) that you want to support. In order to do so, the plugin looks for IdP entries that are prefixed by openid_. The IdP name that you use for each of these entries must match the identity provider's name configured in Keystone, therefore if you have defined an IdP named idp-name, you must add an entry as follows:

[openid_idp-name]

# OpenID connect issuer URL. We will use this to build all the required options
# asking the discovery url (i.e. querying the $issuer/.well-known/openid-
# configuration endpoint. This has to correspond to the 'remote-id' parameter
# that is set in the federated identity provider configuration that is
# configured in Keystone. (string value)
#issuer = <None>

# Client identifier used in calls to the OpenID Connect Provider (string value)
#client_id = <None>

# OpenID connect issuer URL. We will use this to build all the in Keystone.
# (string value)
#authorization_endpoint = <None>

# Client identifier only known by the application and Identity provider client
# (string value)
#client_secret = <None>

# Supported OpenID scopes in the Identity provider (string value)
#scope = <None>

# OpenID connect URL to get identity and access tokens (string value)
#token_endpoint = <None>

# Allowed HTTP method for userinfo request. Optional.
#userinfo_method = POST