| Name | keystoneauth-websso JSON |
| Version |
0.2.5
JSON |
| download |
| home_page | None |
| Summary | WebSSO CLI support for OpenStack keystoneauth library |
| upload_time | 2025-08-21 17:28:11 |
| maintainer | None |
| docs_url | None |
| author | Ed Timmons |
| requires_python | <4.0,>=3.8 |
| license | Apache-2.0 |
| keywords |
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# OpenID Connect support for OpenStack clients
[](https://github.com/vexxhost/keystoneauth-openid/issues)
[](https://raw.githubusercontent.com/vexxhost/keystoneauth-openid/master/LICENSE)
## Quick Reference
1. [Installation](#installation)
2. [Usage-CLI](#1-pass-as-command-line-option)
3. [Usage-stackrc file](#2-add-to-stackrc-file)
4. [Usage-clouds.yml](#3-add-to-cloudsyml)
5. [Keystone server configuration](#keystone-server-config)
This is an authentication plugin for OpenStack clients (namely for
the [keystoneauth1](https://github.com/openstack/keystoneauth) library) which
provides client support for authentication against an OpenStack Keystone server
configured to support OpenID Connect using Apache's
[mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc), as described
below.
## Description
### `v3websso` plugin
This plugin will allow you to authenitcate with a keystone server that is
configured to use `openid` as an auth option on `/etc/keystone/keystone.conf`
## Installation
Install it via pip:
pip install keystoneauth-websso
Or clone the repo and install it:
git clone https://github.com/vexxhost/keystoneauth-websso
cd keystoneauth-websso
pip install .
## Usage
### `v3websso` plugin
The `<identity-provider>` and `<protocol>` must be provided by the OpenStack
cloud provider.
#### 1. Pass as command line option
- Unscoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \
--os-auth-type v3websso \
--os-identity-provider <identity-provider> \
--os-protocol <protocol> \
--os-identity-api-version 3 \
token issue
- Scoped token:
openstack --os-auth-url https://keystone.example.org:5000/v3 \
--os-auth-type v3websso \
--os-identity-provider <identity-provider> \
--os-protocol <protocol> \
--os-project-name <project> \
--os-project-domain-name <project-domain> \
--os-identity-api-version 3 \
--os-openid-scope "openid profile email" \
token issue
#### 2. Add to stackrc file
```bash
export OS_AUTH_TYPE=v3websso
export OS_AUTH_URL=https://keystone.example.org:5000/v3
export OS_IDENTITY_PROVIDER='<keystone-identity-provider>'
export OS_PROTOCOL=openid
```
### 3. Add to clouds.yml
- Unscoped token:
```yaml
clouds:
my_cloud:
auth_type: v3websso
auth_url: https://keystone.example.org:5000/v3
identity_provider: <keystone-identity-provider>
protocol: openid
```
- Scoped token:
```yaml
clouds:
my_cloud:
auth_type: v3websso
auth_url: https://keystone.example.org:5000/v3
identity_provider: <keystone-identity-provider>
protocol: openid
auth:
project_name: <project-name>
project_domain_name: <domain-name>
```
invoke using
```
OS_CLOUD=my_cloud openstack token issue
```
## Keystone Server config
keystone configuration consists of the keystone.conf (as well as any domain-specific configs) and the Apache2 wsgi configuration.
### Configure /etc/keystone/keystone.conf
http://localhost:9990/auth/websso/ needs to be added as a "Trusted Dashboard"
```ini
[federation]
trusted_dashboard=http://your-horizon-dashboard/auth/websso/
trusted_dashboard=http://localhost:9990/auth/websso/
```
### Configure wsgi-keystone.conf
There are 2 required "protected" Locations that need to be created.
* 1 Global redirect URL
```xml
<Location /v3/auth/OS-FEDERATION/identity_providers/redirect>
AuthType openid-connect
Require valid-user
</Location>
```
* 1 Location that is used for websso authentication. This is specific to the target OpenStack Keystone Identity Provider. See [callback_template](https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#add-the-callback-template-websso) for more information
```xml
<Location /v3/auth/OS-FEDERATION/identity_providers/<IDP-name>/protocols/openid/websso>
Require valid-user
AuthType openid-connect
OIDCDiscoverURL http://localhost:15000/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=<url-encoded-issuer>
</Location>
```
For detailed configuration of mod_auth_oidc with Keycloak, see:
https://github.com/OpenIDC/mod_auth_openidc/wiki/Keycloak
Raw data
{
"_id": null,
"home_page": null,
"name": "keystoneauth-websso",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.8",
"maintainer_email": null,
"keywords": null,
"author": "Ed Timmons",
"author_email": "ed@delsurf.com",
"download_url": "https://files.pythonhosted.org/packages/59/87/6362ba7b9e48926aa0d81733af3b604ac2063a32a86594ea69ea3743e496/keystoneauth_websso-0.2.5.tar.gz",
"platform": null,
"description": "# OpenID Connect support for OpenStack clients\n\n[](https://github.com/vexxhost/keystoneauth-openid/issues)\n[](https://raw.githubusercontent.com/vexxhost/keystoneauth-openid/master/LICENSE)\n\n## Quick Reference\n1. [Installation](#installation)\n2. [Usage-CLI](#1-pass-as-command-line-option)\n3. [Usage-stackrc file](#2-add-to-stackrc-file)\n4. [Usage-clouds.yml](#3-add-to-cloudsyml)\n5. [Keystone server configuration](#keystone-server-config)\n\nThis is an authentication plugin for OpenStack clients (namely for\nthe [keystoneauth1](https://github.com/openstack/keystoneauth) library) which\nprovides client support for authentication against an OpenStack Keystone server\nconfigured to support OpenID Connect using Apache's\n[mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc), as described\nbelow.\n\n## Description\n\n### `v3websso` plugin\n\nThis plugin will allow you to authenitcate with a keystone server that is\nconfigured to use `openid` as an auth option on `/etc/keystone/keystone.conf`\n\n## Installation\n\nInstall it via pip:\n\n pip install keystoneauth-websso\n\nOr clone the repo and install it:\n\n git clone https://github.com/vexxhost/keystoneauth-websso\n cd keystoneauth-websso\n pip install .\n\n## Usage\n\n### `v3websso` plugin\n\nThe `<identity-provider>` and `<protocol>` must be provided by the OpenStack\ncloud provider.\n\n#### 1. Pass as command line option\n- Unscoped token:\n\n openstack --os-auth-url https://keystone.example.org:5000/v3 \\\n --os-auth-type v3websso \\\n --os-identity-provider <identity-provider> \\\n --os-protocol <protocol> \\\n --os-identity-api-version 3 \\\n token issue\n\n- Scoped token:\n\n openstack --os-auth-url https://keystone.example.org:5000/v3 \\\n --os-auth-type v3websso \\\n --os-identity-provider <identity-provider> \\\n --os-protocol <protocol> \\\n --os-project-name <project> \\\n --os-project-domain-name <project-domain> \\\n --os-identity-api-version 3 \\\n --os-openid-scope \"openid profile email\" \\\n token issue\n\n#### 2. Add to stackrc file\n\n```bash\nexport OS_AUTH_TYPE=v3websso\nexport OS_AUTH_URL=https://keystone.example.org:5000/v3\nexport OS_IDENTITY_PROVIDER='<keystone-identity-provider>'\nexport OS_PROTOCOL=openid\n\n```\n\n### 3. Add to clouds.yml\n\n- Unscoped token:\n\n ```yaml\n clouds:\n my_cloud:\n auth_type: v3websso\n auth_url: https://keystone.example.org:5000/v3\n identity_provider: <keystone-identity-provider>\n protocol: openid\n ```\n\n- Scoped token:\n\n ```yaml\n clouds:\n my_cloud:\n auth_type: v3websso\n auth_url: https://keystone.example.org:5000/v3\n identity_provider: <keystone-identity-provider>\n protocol: openid\n auth:\n project_name: <project-name>\n project_domain_name: <domain-name>\n ```\n\ninvoke using\n```\nOS_CLOUD=my_cloud openstack token issue\n```\n\n## Keystone Server config\n\nkeystone configuration consists of the keystone.conf (as well as any domain-specific configs) and the Apache2 wsgi configuration.\n\n### Configure /etc/keystone/keystone.conf\n\nhttp://localhost:9990/auth/websso/ needs to be added as a \"Trusted Dashboard\"\n\n```ini\n[federation]\ntrusted_dashboard=http://your-horizon-dashboard/auth/websso/\ntrusted_dashboard=http://localhost:9990/auth/websso/\n\n```\n\n### Configure wsgi-keystone.conf\n\nThere are 2 required \"protected\" Locations that need to be created.\n\n* 1 Global redirect URL\n\n ```xml\n <Location /v3/auth/OS-FEDERATION/identity_providers/redirect>\n AuthType openid-connect\n Require valid-user\n </Location>\n ```\n\n* 1 Location that is used for websso authentication. This is specific to the target OpenStack Keystone Identity Provider. See [callback_template](https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#add-the-callback-template-websso) for more information\n\n ```xml\n <Location /v3/auth/OS-FEDERATION/identity_providers/<IDP-name>/protocols/openid/websso>\n Require valid-user\n AuthType openid-connect\n OIDCDiscoverURL http://localhost:15000/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=<url-encoded-issuer>\n </Location>\n ```\n\n\nFor detailed configuration of mod_auth_oidc with Keycloak, see:\nhttps://github.com/OpenIDC/mod_auth_openidc/wiki/Keycloak\n\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "WebSSO CLI support for OpenStack keystoneauth library",
"version": "0.2.5",
"project_urls": {
"Repository": "https://github.com/vexxhost/keystoneauth-websso"
},
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "25f9a97ba7d7c658f2216f378d1c9b8c093dd3bf0a53edf959051089a271192a",
"md5": "46f316f23849933eca67a46b7a2ae860",
"sha256": "aac9f193546ca462b69025a6fcbca494630000d372608b5da0b345db5f8a5b5a"
},
"downloads": -1,
"filename": "keystoneauth_websso-0.2.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "46f316f23849933eca67a46b7a2ae860",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8",
"size": 12281,
"upload_time": "2025-08-21T17:28:09",
"upload_time_iso_8601": "2025-08-21T17:28:09.627246Z",
"url": "https://files.pythonhosted.org/packages/25/f9/a97ba7d7c658f2216f378d1c9b8c093dd3bf0a53edf959051089a271192a/keystoneauth_websso-0.2.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "59876362ba7b9e48926aa0d81733af3b604ac2063a32a86594ea69ea3743e496",
"md5": "972d6b9826764b3f50b1d365be00181e",
"sha256": "a30289dd4ae70ba56387bb8defe8da6e3eb7f9e6d289692d3cb5b0c7460b071c"
},
"downloads": -1,
"filename": "keystoneauth_websso-0.2.5.tar.gz",
"has_sig": false,
"md5_digest": "972d6b9826764b3f50b1d365be00181e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8",
"size": 9761,
"upload_time": "2025-08-21T17:28:11",
"upload_time_iso_8601": "2025-08-21T17:28:11.107375Z",
"url": "https://files.pythonhosted.org/packages/59/87/6362ba7b9e48926aa0d81733af3b604ac2063a32a86594ea69ea3743e496/keystoneauth_websso-0.2.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-21 17:28:11",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "vexxhost",
"github_project": "keystoneauth-websso",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "keystoneauth-websso"
}
