Bug 1981269 - Federation with OpenID Connect disables some default auth methods in Keystone [NEEDINFO]
Summary: Federation with OpenID Connect disables some default auth methods in Keystone
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: z2
: 17.1
Assignee: Dave Wilde
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-12 08:46 UTC by Takashi Kajinami
Modified: 2023-08-11 13:59 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-1.20230531200756.893037f.el9osttrunk
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
ifrangs: needinfo? (dwilde)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1935811 0 None None None 2021-07-12 08:47:25 UTC
OpenStack gerrit 800439 0 None MERGED Keystone: Keep default auth methods in OpenIDC Federation 2022-09-27 13:11:23 UTC
Red Hat Issue Tracker OSP-6145 0 None None None 2021-11-15 13:08:28 UTC

Description Takashi Kajinami 2021-07-12 08:46:19 UTC 
Description of problem:

When environments/enable-federation-openidc.yaml is included to use federation with OpenID Connect, keystone accepts the following auth methods
 - password
 - token
 - openid

However the list doesn't include some methods which are enabled by default and results in disabling some methods like application_credential.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Deploy overcloud with OpenID Connect Federation enabled
2. Check keystone.conf

Actual results:
Some of the defualt auth methods like application_credential are disabled

Expected results:
Defualt auth methods are kept enabled

Additional info:
Note You need to log in before you can comment on or make changes to this bug.