← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #45809

[Bug 1541657] [NEW] Scoped OS-FEDERATION token not working

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I have implemented Keystone Federation scenario with Kilo against a non-
Keystone IdP.

Following the flow described at https://specs.openstack.org/openstack
/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html I
successfully went through SAML2 authentication and I ended up with an
unscoped token which is working just fine.

When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
docs says that user will have groups:

"user": {
    "domain": {
        "id": "Federated"
    },
    "id": "username%40example.com",
    "name": "username@xxxxxxxxxxx",
    "OS-FEDERATION": {
        "identity_provider": "ACME",
        "protocol": "SAML",
        "groups": [
            {"id": "abc123"},
            {"id": "bcd234"}
        ]
    }
}

while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
"user": {
  	"domain": {
  	    "id": "Federated",
  	    "name": "Federated"
  	},
  	"id": "myUser",
  	"name": "myUser"
  	"OS-FEDERATION": {
		    "identity_provider": {
  			    "id": "myIdP"
		    },
		    "protocol": {"id": "saml2"}
	  }
}

If I try to use the scoped token I get the error message:
# openstack --os-token 3e68789050944e9296f1e366f63a31a8 --os-auth-url https://host:5000/v3 --os-identity-api-version 3 --os-cacert /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-6f1f-4259-8ff0-92063f60b5f0)

And this is no surprise if we debug the code for token creation and see
that **_handle_mapped_tokens** in /usr/lib/python2.7/site-
packages/keystone/token/providers/common.py says:

if project_id or domain_id:
    roles = self.v3_token_data_helper._populate_roles_for_groups(
        group_ids, project_id, domain_id, user_id)
    token_data.update({'roles': roles})
else:
    token_data['user'][federation.FEDERATION].update({
        'groups': [{'id': x} for x in group_ids]
    })
return token_data

So, the only way to get our groups added to the scoped token is to NOT
use domain or project scoping, but if we do not scope the token for
domain or project then we will simply get yet another unscoped token ;).


What am I missing? How am I supposed to create a scoped token which works?

Thanks in advance!

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541657

Title:
  Scoped OS-FEDERATION token not working

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have implemented Keystone Federation scenario with Kilo against a
  non-Keystone IdP.

  Following the flow described at https://specs.openstack.org/openstack
  /keystone-specs/api/v3/identity-api-v3-os-federation-ext.html I
  successfully went through SAML2 authentication and I ended up with an
  unscoped token which is working just fine.

  When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
  docs says that user will have groups:

  "user": {
      "domain": {
          "id": "Federated"
      },
      "id": "username%40example.com",
      "name": "username@xxxxxxxxxxx",
      "OS-FEDERATION": {
          "identity_provider": "ACME",
          "protocol": "SAML",
          "groups": [
              {"id": "abc123"},
              {"id": "bcd234"}
          ]
      }
  }

  while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
  "user": {
    	"domain": {
    	    "id": "Federated",
    	    "name": "Federated"
    	},
    	"id": "myUser",
    	"name": "myUser"
    	"OS-FEDERATION": {
  		    "identity_provider": {
    			    "id": "myIdP"
  		    },
  		    "protocol": {"id": "saml2"}
  	  }
  }

  If I try to use the scoped token I get the error message:
  # openstack --os-token 3e68789050944e9296f1e366f63a31a8 --os-auth-url https://host:5000/v3 --os-identity-api-version 3 --os-cacert /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
  ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-6f1f-4259-8ff0-92063f60b5f0)

  And this is no surprise if we debug the code for token creation and
  see that **_handle_mapped_tokens** in /usr/lib/python2.7/site-
  packages/keystone/token/providers/common.py says:

  if project_id or domain_id:
      roles = self.v3_token_data_helper._populate_roles_for_groups(
          group_ids, project_id, domain_id, user_id)
      token_data.update({'roles': roles})
  else:
      token_data['user'][federation.FEDERATION].update({
          'groups': [{'id': x} for x in group_ids]
      })
  return token_data

  So, the only way to get our groups added to the scoped token is to NOT
  use domain or project scoping, but if we do not scope the token for
  domain or project then we will simply get yet another unscoped token
  ;).

  
  What am I missing? How am I supposed to create a scoped token which works?

  Thanks in advance!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541657/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next