← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1541657] Re: Scoped OS-FEDERATION token not working

 

thanks for confirming bogdan, we'll get this into the next kilo
scheduled release

** Changed in: keystone
       Status: Invalid => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541657

Title:
  Scoped OS-FEDERATION token not working

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) kilo series:
  In Progress

Bug description:
  I have implemented Keystone Federation scenario with Kilo against a
  non-Keystone IdP.

  Following the flow described at https://specs.openstack.org/openstack
  /keystone-specs/api/v3/identity-api-v3-os-federation-ext.html I
  successfully went through SAML2 authentication and I ended up with an
  unscoped token which is working just fine.

  When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
  docs says that user will have groups:

  "user": {
      "domain": {
          "id": "Federated"
      },
      "id": "username%40example.com",
      "name": "username@xxxxxxxxxxx",
      "OS-FEDERATION": {
          "identity_provider": "ACME",
          "protocol": "SAML",
          "groups": [
              {"id": "abc123"},
              {"id": "bcd234"}
          ]
      }
  }

  while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
  "user": {
    	"domain": {
    	    "id": "Federated",
    	    "name": "Federated"
    	},
    	"id": "myUser",
    	"name": "myUser"
    	"OS-FEDERATION": {
  		    "identity_provider": {
    			    "id": "myIdP"
  		    },
  		    "protocol": {"id": "saml2"}
  	  }
  }

  If I try to use the scoped token I get the error message:
  # openstack --os-token 3e68789050944e9296f1e366f63a31a8 --os-auth-url https://host:5000/v3 --os-identity-api-version 3 --os-cacert /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
  ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-6f1f-4259-8ff0-92063f60b5f0)

  And this is no surprise if we debug the code for token creation and
  see that **_handle_mapped_tokens** in /usr/lib/python2.7/site-
  packages/keystone/token/providers/common.py says:

  if project_id or domain_id:
      roles = self.v3_token_data_helper._populate_roles_for_groups(
          group_ids, project_id, domain_id, user_id)
      token_data.update({'roles': roles})
  else:
      token_data['user'][federation.FEDERATION].update({
          'groups': [{'id': x} for x in group_ids]
      })
  return token_data

  So, the only way to get our groups added to the scoped token is to NOT
  use domain or project scoping, but if we do not scope the token for
  domain or project then we will simply get yet another unscoped token
  ;).

  
  What am I missing? How am I supposed to create a scoped token which works?

  Thanks in advance!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541657/+subscriptions


References