)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"b9543811_e8b1fff1","updated":"2022-11-04 06:08:03.000000000","message":"I have added a comment, so please kindly check it.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"00cdf68bca34cea8e6192159ea5def3dc8e50268","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ce3e9792_9059882d","updated":"2022-11-08 06:26:39.000000000","message":"I have issued additional comments, so please check them.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":597,"name":"Pete Zaitcev","email":"zaitcev@kotori.zaitcev.us","username":"zaitcev"},"change_message_id":"4948913596a052469e96770ca281d803721ae394","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"bf6d13ae_715b6e09","updated":"2023-04-25 15:52:12.000000000","message":"(either the new gerrit doesn\u0027t allow me to add myself to cc without actually commenting or I\u0027m too dumb to figure out how)","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"35263c63504cc4b363f24cae6b3f5175f06766ff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"85fe9296_cfd69fd2","updated":"2023-01-03 15:04:36.000000000","message":"removed descriptions for keystoneauth as this library strongly depends on Keystone and is not reasonable to change it for the external authorization server support.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9847a63fae112ff477f42c98ec8d7f7acf0d9388","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"29504a74_d9488022","in_reply_to":"bf6d13ae_715b6e09","updated":"2023-05-19 16:35:29.000000000","message":"No comment with just the change to set cc 😊","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"154f691246af35f0c008b021e8045b9f6711fc49","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"492a8ce4_70bf9af5","updated":"2023-05-30 15:57:41.000000000","message":"Thank you Julia for your quick and clear comments.\n\nI\u0027ve updated the spec. Could you check it again when you have time?","commit_id":"fe378c53994e454823f4278d734319f072a21a74"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b63dce42a50fad208546b2839ed0c6eb959d637a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"408f1566_6d19cbe6","updated":"2023-06-13 04:55:28.000000000","message":"I agree with the direction of this spec. I provided some comments which are not blockers as they don\u0027t change or impact the implementation itself of the spec.","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bc0e2c4f1a6563485ab71d05541ae7cad0bb2214","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"605270b5_12c02e80","updated":"2023-06-02 17:10:20.000000000","message":"LGTM, Thanks!","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"}],"specs/keystonemiddleware/2023.1/external_authentication_server_oauth2_grant_support.rst":[{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":true,"context_lines":[{"line_number":180,"context_line":""},{"line_number":181,"context_line":"::"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"  export OS_AUTH_TYPE\u003dv3externaloauth2password"},{"line_number":184,"context_line":"  export OS_EXTERNAL_OAUTH2_ENDPOINT\u003dhttps://keycloak/protocol/openid-connect/token"},{"line_number":185,"context_line":"  export OS_EXTERNAL_OAUTH2_CLIENT_ID\u003d333e5ae19cbb47e8b18969306582be25"},{"line_number":186,"context_line":"  export OS_EXTERNAL_OAUTH2_CLIENT_SECRET\u003d333e5ae19cbb47e8b18969306582be25"},{"line_number":187,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":188,"context_line":"  export OS_EXTERNAL_OAUTH2_CACERT\u003d/opt/stack/keycloak_ca.pem"},{"line_number":189,"context_line":"  export OS_EXTERNAL_OAUTH2_CERT\u003d/opt/stack/client.pem"},{"line_number":190,"context_line":"  export OS_EXTERNAL_OAUTH2_KEY\u003d/opt/stack/client.key"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Security Impact"},{"line_number":193,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2b58c47b_912e2d39","line":190,"range":{"start_line":183,"start_character":0,"end_line":190,"end_character":53},"updated":"2022-11-04 06:08:03.000000000","message":"I think that if you use v3 externaloauth2 password, you need to add the following configuration items:.\n```\n   export OS_AUTH_URL\u003dhttp://127.0.0.1/identity\n   export OS_USER_ID\u003d333e5ae19cbb47e8b18969306582be25\n   export OS_PASSWORD\u003ddevstack\n   export OS_PROJECT_ID\u003d6890f5679f304671aba65dfd4e9b11f5\n```\nOtherwise, you will not be able to retrieve catalog and the openstack command will not work correctly.\nIn this case, I think you will also need to configure the authentication methods allowed by the external authorization server.\n```\n    export OS_EXTERNAL_OAUTH2_AUTH_METHOD\u003dclient_secret_basic/client_secret_post/client_secret_jwt/private_key_jwt\n```","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":true,"context_lines":[{"line_number":180,"context_line":""},{"line_number":181,"context_line":"::"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"  export OS_AUTH_TYPE\u003dv3externaloauth2password"},{"line_number":184,"context_line":"  export OS_EXTERNAL_OAUTH2_ENDPOINT\u003dhttps://keycloak/protocol/openid-connect/token"},{"line_number":185,"context_line":"  export OS_EXTERNAL_OAUTH2_CLIENT_ID\u003d333e5ae19cbb47e8b18969306582be25"},{"line_number":186,"context_line":"  export OS_EXTERNAL_OAUTH2_CLIENT_SECRET\u003d333e5ae19cbb47e8b18969306582be25"},{"line_number":187,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":188,"context_line":"  export OS_EXTERNAL_OAUTH2_CACERT\u003d/opt/stack/keycloak_ca.pem"},{"line_number":189,"context_line":"  export OS_EXTERNAL_OAUTH2_CERT\u003d/opt/stack/client.pem"},{"line_number":190,"context_line":"  export OS_EXTERNAL_OAUTH2_KEY\u003d/opt/stack/client.key"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Security Impact"},{"line_number":193,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"497cec17_6e9f7d94","line":190,"range":{"start_line":183,"start_character":0,"end_line":190,"end_character":53},"in_reply_to":"2b58c47b_912e2d39","updated":"2022-11-29 01:43:18.000000000","message":"\u003e you will not be able to retrieve catalog \n\nJust a question. As I mentioned in [1], I assume the situation where a OpenStack service is deployed as a standalone service. Do you think we need service catalogs in this situation?\n\n\n[1] https://review.opendev.org/c/openstack/keystone-specs/+/861554/3/specs/keystonemiddleware/2023.1/external_authentication_server_oauth2_grant_support.rst#19","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":true,"context_lines":[{"line_number":261,"context_line":"  mapping_project_domain_name\u003ddomain_name"},{"line_number":262,"context_line":"  mapping_tenant_id\u003dtenant_id"},{"line_number":263,"context_line":"  mapping_tenant_name\u003dtenant_name"},{"line_number":264,"context_line":"  mapping_provider_id\u003dprovider_id"},{"line_number":265,"context_line":"  mapping_provider_name\u003dprovider_name"},{"line_number":266,"context_line":"  mapping_user_id\u003duser_id"},{"line_number":267,"context_line":"  mapping_user_name\u003dusername"},{"line_number":268,"context_line":"  mapping_user_domain_id\u003ddomain_id"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4cde651e_d83982b6","line":265,"range":{"start_line":264,"start_character":0,"end_line":265,"end_character":37},"updated":"2022-11-04 06:08:03.000000000","message":"I think this setting is unnecessary.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":true,"context_lines":[{"line_number":261,"context_line":"  mapping_project_domain_name\u003ddomain_name"},{"line_number":262,"context_line":"  mapping_tenant_id\u003dtenant_id"},{"line_number":263,"context_line":"  mapping_tenant_name\u003dtenant_name"},{"line_number":264,"context_line":"  mapping_provider_id\u003dprovider_id"},{"line_number":265,"context_line":"  mapping_provider_name\u003dprovider_name"},{"line_number":266,"context_line":"  mapping_user_id\u003duser_id"},{"line_number":267,"context_line":"  mapping_user_name\u003dusername"},{"line_number":268,"context_line":"  mapping_user_domain_id\u003ddomain_id"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c4ced953_6d799b8c","line":265,"range":{"start_line":264,"start_character":0,"end_line":265,"end_character":37},"in_reply_to":"4cde651e_d83982b6","updated":"2022-11-29 01:43:18.000000000","message":"fixed","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"00cdf68bca34cea8e6192159ea5def3dc8e50268","unresolved":true,"context_lines":[{"line_number":245,"context_line":"::"},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"  [keystone_authtoken]"},{"line_number":248,"context_line":"  memcached_servers\u003dlocalhost:11211"},{"line_number":249,"context_line":"  introspect_endpoint\u003dhttps://keycloak/protocol/openid-connect/token/introspect"},{"line_number":250,"context_line":"  auth_method\u003dclient_secret_basic"},{"line_number":251,"context_line":"  client_id\u003dtacker_client_id"},{"line_number":252,"context_line":"  client_secret\u003dtacker_client_secret"},{"line_number":253,"context_line":"  jwt_key\u003d/opt/stack/jwt.pem"},{"line_number":254,"context_line":"  jwt_algorithm\u003dS256"},{"line_number":255,"context_line":"  # the mapping from metadata obtained from External Authorization Server to OpenStack Services variables"},{"line_number":256,"context_line":"  mapping_domain_id\u003ddomain_id"},{"line_number":257,"context_line":"  mapping_domain_name\u003ddomain_name"},{"line_number":258,"context_line":"  mapping_project_id\u003dtenant_id"},{"line_number":259,"context_line":"  mapping_project_name\u003dtenant_name"},{"line_number":260,"context_line":"  mapping_project_domain_id\u003ddomain_id"},{"line_number":261,"context_line":"  mapping_project_domain_name\u003ddomain_name"},{"line_number":262,"context_line":"  mapping_tenant_id\u003dtenant_id"},{"line_number":263,"context_line":"  mapping_tenant_name\u003dtenant_name"},{"line_number":264,"context_line":"  mapping_provider_id\u003dprovider_id"},{"line_number":265,"context_line":"  mapping_provider_name\u003dprovider_name"},{"line_number":266,"context_line":"  mapping_user_id\u003duser_id"},{"line_number":267,"context_line":"  mapping_user_name\u003dusername"},{"line_number":268,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":269,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":270,"context_line":"  mapping_roles\u003droles"},{"line_number":271,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":272,"context_line":"  # auth_method\u003dtls_client_auth"},{"line_number":273,"context_line":"  # cacert\u003d/opt/stack/keycloak_ca.pem"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9083fc80_7a2f66fd","line":270,"range":{"start_line":248,"start_character":0,"end_line":270,"end_character":21},"updated":"2022-11-08 06:26:39.000000000","message":"In the case of jwt, aud (Audience) and exp (Expiration Time) claims are required, so I think it is necessary to add the following setting in addition to the setting described here.\n```\naudience\u003dhttps://\u003ckeycloak_host\u003e:\u003cport\u003e/realms/\u003crealm_name\u003e\njwt_bearer_time_out\u003d3600\n```","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":true,"context_lines":[{"line_number":245,"context_line":"::"},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"  [keystone_authtoken]"},{"line_number":248,"context_line":"  memcached_servers\u003dlocalhost:11211"},{"line_number":249,"context_line":"  introspect_endpoint\u003dhttps://keycloak/protocol/openid-connect/token/introspect"},{"line_number":250,"context_line":"  auth_method\u003dclient_secret_basic"},{"line_number":251,"context_line":"  client_id\u003dtacker_client_id"},{"line_number":252,"context_line":"  client_secret\u003dtacker_client_secret"},{"line_number":253,"context_line":"  jwt_key\u003d/opt/stack/jwt.pem"},{"line_number":254,"context_line":"  jwt_algorithm\u003dS256"},{"line_number":255,"context_line":"  # the mapping from metadata obtained from External Authorization Server to OpenStack Services variables"},{"line_number":256,"context_line":"  mapping_domain_id\u003ddomain_id"},{"line_number":257,"context_line":"  mapping_domain_name\u003ddomain_name"},{"line_number":258,"context_line":"  mapping_project_id\u003dtenant_id"},{"line_number":259,"context_line":"  mapping_project_name\u003dtenant_name"},{"line_number":260,"context_line":"  mapping_project_domain_id\u003ddomain_id"},{"line_number":261,"context_line":"  mapping_project_domain_name\u003ddomain_name"},{"line_number":262,"context_line":"  mapping_tenant_id\u003dtenant_id"},{"line_number":263,"context_line":"  mapping_tenant_name\u003dtenant_name"},{"line_number":264,"context_line":"  mapping_provider_id\u003dprovider_id"},{"line_number":265,"context_line":"  mapping_provider_name\u003dprovider_name"},{"line_number":266,"context_line":"  mapping_user_id\u003duser_id"},{"line_number":267,"context_line":"  mapping_user_name\u003dusername"},{"line_number":268,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":269,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":270,"context_line":"  mapping_roles\u003droles"},{"line_number":271,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":272,"context_line":"  # auth_method\u003dtls_client_auth"},{"line_number":273,"context_line":"  # cacert\u003d/opt/stack/keycloak_ca.pem"}],"source_content_type":"text/x-rst","patch_set":3,"id":"494fe351_4524e826","line":270,"range":{"start_line":248,"start_character":0,"end_line":270,"end_character":21},"in_reply_to":"9083fc80_7a2f66fd","updated":"2022-11-29 01:43:18.000000000","message":"fixed","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":true,"context_lines":[{"line_number":269,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":270,"context_line":"  mapping_roles\u003droles"},{"line_number":271,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":272,"context_line":"  # auth_method\u003dtls_client_auth"},{"line_number":273,"context_line":"  # cacert\u003d/opt/stack/keycloak_ca.pem"},{"line_number":274,"context_line":"  # key\u003d/opt/stack/tacker_client.key"},{"line_number":275,"context_line":"  # cert\u003d/opt/stack/tacker_client.pem"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1dcdd09f_c13f38d1","line":272,"range":{"start_line":272,"start_character":0,"end_line":272,"end_character":31},"updated":"2022-11-04 06:08:03.000000000","message":"I think this setting is unnecessary because a client certificate is considered to have been used with mTLS.\nIf you need to add a setting, it should have a different name as the parameter name conflicts with line 250.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"00cdf68bca34cea8e6192159ea5def3dc8e50268","unresolved":true,"context_lines":[{"line_number":269,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":270,"context_line":"  mapping_roles\u003droles"},{"line_number":271,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":272,"context_line":"  # auth_method\u003dtls_client_auth"},{"line_number":273,"context_line":"  # cacert\u003d/opt/stack/keycloak_ca.pem"},{"line_number":274,"context_line":"  # key\u003d/opt/stack/tacker_client.key"},{"line_number":275,"context_line":"  # cert\u003d/opt/stack/tacker_client.pem"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3dcd3247_31c13f25","line":272,"range":{"start_line":272,"start_character":0,"end_line":272,"end_character":31},"in_reply_to":"1dcdd09f_c13f38d1","updated":"2022-11-08 06:26:39.000000000","message":"Regarding the setting of auth_method\u003dtls_client_auth, I stated in the previous comment that I think it is unnecessary, but as a result of the investigation, I understand it is necessary, so I would like to withdraw my comment.\nI think auth_method should support the following five authentication methods:.\n```\ntls_client_auth\nclient_secret_basic\nclient_secret_post\nclient_secret_jwt\nprivate_key_jwt\n```","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":false,"context_lines":[{"line_number":269,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":270,"context_line":"  mapping_roles\u003droles"},{"line_number":271,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"},{"line_number":272,"context_line":"  # auth_method\u003dtls_client_auth"},{"line_number":273,"context_line":"  # cacert\u003d/opt/stack/keycloak_ca.pem"},{"line_number":274,"context_line":"  # key\u003d/opt/stack/tacker_client.key"},{"line_number":275,"context_line":"  # cert\u003d/opt/stack/tacker_client.pem"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dcba8f35_4b21e5ed","line":272,"range":{"start_line":272,"start_character":0,"end_line":272,"end_character":31},"in_reply_to":"3dcd3247_31c13f25","updated":"2022-11-29 01:43:18.000000000","message":"Ack","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":true,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"::"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"  export OS_AUTH_TYPE\u003dv3oauth2token"},{"line_number":289,"context_line":"  export OS_TOKEN\u003df69c9fb6947c47329b8955d629ac5722"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c6d7b59f_0df416ff","line":288,"range":{"start_line":288,"start_character":0,"end_line":288,"end_character":35},"updated":"2022-11-04 06:08:03.000000000","message":"Do both the v3externaloauth2password (described in line 183) and v3oauth2token authentication types need to be added to keystoneauth?","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":true,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"::"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"  export OS_AUTH_TYPE\u003dv3oauth2token"},{"line_number":289,"context_line":"  export OS_TOKEN\u003df69c9fb6947c47329b8955d629ac5722"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":3,"id":"925685ab_ed9240d4","line":288,"range":{"start_line":288,"start_character":0,"end_line":288,"end_character":35},"in_reply_to":"c6d7b59f_0df416ff","updated":"2022-11-29 01:43:18.000000000","message":"``v3externaloauth2password`` is an alternative. So, I\u0027m not intend to support both types.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33920,"name":"Yusuke Niimi","email":"niimi.yusuke@fujitsu.com","username":"yniimi"},"change_message_id":"b9d82f575d9646f8800f2eff6be2ca667bb654d4","unresolved":true,"context_lines":[{"line_number":286,"context_line":"::"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"  export OS_AUTH_TYPE\u003dv3oauth2token"},{"line_number":289,"context_line":"  export OS_TOKEN\u003df69c9fb6947c47329b8955d629ac5722"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Developer Impact"},{"line_number":292,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e04f912d_19df5925","line":289,"range":{"start_line":289,"start_character":0,"end_line":289,"end_character":50},"updated":"2022-11-04 06:08:03.000000000","message":"I think OS_AUTH2_ACCESS_TOKEN needs to be added as a setting item.\nOS_TOKEN is the Token used to retrieve catalog from keystone, and OS_AUTH2_ACCESS_TOKEN is the token obtained from the external authorization server.","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"acfb1b6c819c743620d0c3f3e3d4ce0a31c1ea70","unresolved":true,"context_lines":[{"line_number":286,"context_line":"::"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"  export OS_AUTH_TYPE\u003dv3oauth2token"},{"line_number":289,"context_line":"  export OS_TOKEN\u003df69c9fb6947c47329b8955d629ac5722"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"Developer Impact"},{"line_number":292,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b3e6cf15_089a495b","line":289,"range":{"start_line":289,"start_character":0,"end_line":289,"end_character":50},"in_reply_to":"e04f912d_19df5925","updated":"2022-11-29 01:43:18.000000000","message":"As I mentioned in [1], I assume the situation where a OpenStack service is deployed as a standalone service. Do you think we need service catalogs in this situation?","commit_id":"e2a92806681b2b8cd07580688044a73fbd2b88ff"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":100,"context_line":"    \"Keystone Middleware\" -\u003e AuthServer"},{"line_number":101,"context_line":"    [label \u003d \"3. POST\\n /external-authz-server/introspect\\n with client credentials for the Keystone Middleware\\n and the Access Token\"];"},{"line_number":102,"context_line":"    \"Keystone Middleware\" \u003c-- AuthServer"},{"line_number":103,"context_line":"    [label \u003d \"Response 200 OK\\n with Access Token metadata\"];"},{"line_number":104,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":105,"context_line":"    [label \u003d \"4. parse\\n the necessary\\n information\\n from the metadata\"];"},{"line_number":106,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":107,"context_line":"    [label \u003d \"5. set\\n request.environ\\n with the necessary\\n information\"];"},{"line_number":108,"context_line":"    \"OpenStack Service\" \u003c-- \"Keystone Middleware\""},{"line_number":109,"context_line":"    [label \u003d \"return request.environ\\n with the necessary\\n information\"];"},{"line_number":110,"context_line":"    \"OpenStack Service\" -\u003e \"OpenStack Service\""},{"line_number":111,"context_line":"    [label \u003d \"6. continue\\n OpenStack\\n Service\\n processing\"];"},{"line_number":112,"context_line":"    \"Client\" \u003c-- \"OpenStack Service\""},{"line_number":113,"context_line":"    [label \u003d \"API response\"];"}],"source_content_type":"text/x-rst","patch_set":6,"id":"0cb4e8d9_e8b7ac53","line":110,"range":{"start_line":103,"start_character":0,"end_line":110,"end_character":46},"updated":"2023-03-27 19:28:24.000000000","message":"Will the middleware handle token caching? or is the intent to cross-validate every request? I know in previous projects I did oauth2 with, we kept a session cache and invalidated after a period of time.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":100,"context_line":"    \"Keystone Middleware\" -\u003e AuthServer"},{"line_number":101,"context_line":"    [label \u003d \"3. POST\\n /external-authz-server/introspect\\n with client credentials for the Keystone Middleware\\n and the Access Token\"];"},{"line_number":102,"context_line":"    \"Keystone Middleware\" \u003c-- AuthServer"},{"line_number":103,"context_line":"    [label \u003d \"Response 200 OK\\n with Access Token metadata\"];"},{"line_number":104,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":105,"context_line":"    [label \u003d \"4. parse\\n the necessary\\n information\\n from the metadata\"];"},{"line_number":106,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":107,"context_line":"    [label \u003d \"5. set\\n request.environ\\n with the necessary\\n information\"];"},{"line_number":108,"context_line":"    \"OpenStack Service\" \u003c-- \"Keystone Middleware\""},{"line_number":109,"context_line":"    [label \u003d \"return request.environ\\n with the necessary\\n information\"];"},{"line_number":110,"context_line":"    \"OpenStack Service\" -\u003e \"OpenStack Service\""},{"line_number":111,"context_line":"    [label \u003d \"6. continue\\n OpenStack\\n Service\\n processing\"];"},{"line_number":112,"context_line":"    \"Client\" \u003c-- \"OpenStack Service\""},{"line_number":113,"context_line":"    [label \u003d \"API response\"];"}],"source_content_type":"text/x-rst","patch_set":6,"id":"34066db1_5e76afc3","line":110,"range":{"start_line":103,"start_character":0,"end_line":110,"end_character":46},"in_reply_to":"0cb4e8d9_e8b7ac53","updated":"2023-05-16 12:55:37.000000000","message":"As for now, we haven\u0027t implemented caching, but we will.\nI\u0027ll add a step and description for the token caching.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ccc4d58956d4a053c40845c30cd2adc856d6ea6b","unresolved":true,"context_lines":[{"line_number":100,"context_line":"    \"Keystone Middleware\" -\u003e AuthServer"},{"line_number":101,"context_line":"    [label \u003d \"3. POST\\n /external-authz-server/introspect\\n with client credentials for the Keystone Middleware\\n and the Access Token\"];"},{"line_number":102,"context_line":"    \"Keystone Middleware\" \u003c-- AuthServer"},{"line_number":103,"context_line":"    [label \u003d \"Response 200 OK\\n with Access Token metadata\"];"},{"line_number":104,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":105,"context_line":"    [label \u003d \"4. parse\\n the necessary\\n information\\n from the metadata\"];"},{"line_number":106,"context_line":"    \"Keystone Middleware\" -\u003e \"Keystone Middleware\""},{"line_number":107,"context_line":"    [label \u003d \"5. set\\n request.environ\\n with the necessary\\n information\"];"},{"line_number":108,"context_line":"    \"OpenStack Service\" \u003c-- \"Keystone Middleware\""},{"line_number":109,"context_line":"    [label \u003d \"return request.environ\\n with the necessary\\n information\"];"},{"line_number":110,"context_line":"    \"OpenStack Service\" -\u003e \"OpenStack Service\""},{"line_number":111,"context_line":"    [label \u003d \"6. continue\\n OpenStack\\n Service\\n processing\"];"},{"line_number":112,"context_line":"    \"Client\" \u003c-- \"OpenStack Service\""},{"line_number":113,"context_line":"    [label \u003d \"API response\"];"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9646ecc5_861e5f16","line":110,"range":{"start_line":103,"start_character":0,"end_line":110,"end_character":46},"in_reply_to":"34066db1_5e76afc3","updated":"2023-05-19 13:50:39.000000000","message":"Cool, thanks.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":139,"context_line":"#. The Keystone Middleware uses the mapping definition in the config file to"},{"line_number":140,"context_line":"   parse all the necessary information from the metadata. If the parsing fails,"},{"line_number":141,"context_line":"   the Keystone Middleware sends an error response such as ``403 Forbidden`` to"},{"line_number":142,"context_line":"   the Client."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"#. Keystone Middleware sets the environment variables in the OpenStack service"},{"line_number":145,"context_line":"   HTTP request with the required information."}],"source_content_type":"text/x-rst","patch_set":6,"id":"ccf90629_9b65b6ea","line":142,"updated":"2023-03-27 19:28:24.000000000","message":"nit: It might be good to have an example of this. I think I understand what is being conveyed here, but I have an understanding of how oauth2 works and not everyone might.\n\nfollow-up: I see the example later on.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"154f691246af35f0c008b021e8045b9f6711fc49","unresolved":true,"context_lines":[{"line_number":139,"context_line":"#. The Keystone Middleware uses the mapping definition in the config file to"},{"line_number":140,"context_line":"   parse all the necessary information from the metadata. If the parsing fails,"},{"line_number":141,"context_line":"   the Keystone Middleware sends an error response such as ``403 Forbidden`` to"},{"line_number":142,"context_line":"   the Client."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"#. Keystone Middleware sets the environment variables in the OpenStack service"},{"line_number":145,"context_line":"   HTTP request with the required information."}],"source_content_type":"text/x-rst","patch_set":6,"id":"e18da9bb_53da36a7","line":142,"in_reply_to":"ccf90629_9b65b6ea","updated":"2023-05-30 15:57:41.000000000","message":"To make sure, I need to confirm if the actual code is in line with your thought. In the actual code, OpenStack attributes that can be mapped are fixed, and you can freely set what attribute names in the token metadata will be retrieved [1]. Is this what you expected?\n\n[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/868734/14/keystonemiddleware/external_oauth2_token.py#103","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":170,"context_line":"---------------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."}],"source_content_type":"text/x-rst","patch_set":6,"id":"4936a96e_0653d940","line":173,"range":{"start_line":173,"start_character":21,"end_line":173,"end_character":74},"updated":"2023-03-27 19:28:24.000000000","message":"The middleware client?\n\nThis should be operational parameters based upon configured endpoint urls. i.e. yes someone could configure it with http, they would be wrong to it that way, but that should not have any bearing on keystone itself. Could something else be meant by this?","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9847a63fae112ff477f42c98ec8d7f7acf0d9388","unresolved":true,"context_lines":[{"line_number":170,"context_line":"---------------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."}],"source_content_type":"text/x-rst","patch_set":6,"id":"4b557afe_70f5df4d","line":173,"range":{"start_line":173,"start_character":21,"end_line":173,"end_character":74},"in_reply_to":"09d0684c_b49685d5","updated":"2023-05-19 16:35:29.000000000","message":"I think you meant instead of Keystone, that you were actually talking about keystonemiddleware doing a thing.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":170,"context_line":"---------------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."}],"source_content_type":"text/x-rst","patch_set":6,"id":"09d0684c_b49685d5","line":173,"range":{"start_line":173,"start_character":21,"end_line":173,"end_character":74},"in_reply_to":"4936a96e_0653d940","updated":"2023-05-16 12:55:37.000000000","message":"As you pointed out, it\u0027s not keystone\u0027s matter, but I thought it\u0027s better to mention all security risks we can imagine. In this sense, it should be a recommendation rather than saying \"must\". Do you agree with that? At least, we have to add warnings to the user document to ensure users use this feature securely.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"154f691246af35f0c008b021e8045b9f6711fc49","unresolved":true,"context_lines":[{"line_number":170,"context_line":"---------------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."}],"source_content_type":"text/x-rst","patch_set":6,"id":"e7dfeea4_1b19f530","line":173,"range":{"start_line":173,"start_character":21,"end_line":173,"end_character":74},"in_reply_to":"4b557afe_70f5df4d","updated":"2023-05-30 15:57:41.000000000","message":"Sorry, my bad. You\u0027re right. It should be like \"it is recommended to use endpoints with HTTPS enabled in keystonemiddleware using this feature\". I\u0027ve updated spec.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Notifications Impact"},{"line_number":179,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"064491a1_899becbb","line":176,"range":{"start_line":175,"start_character":0,"end_line":176,"end_character":35},"updated":"2023-03-27 19:28:24.000000000","message":"I\u0027m not sure I understand this. Could we get this elaborated upon?","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Notifications Impact"},{"line_number":179,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7c0fef4c_092a62c0","line":176,"range":{"start_line":175,"start_character":0,"end_line":176,"end_character":35},"in_reply_to":"064491a1_899becbb","updated":"2023-05-16 12:55:37.000000000","message":"Removed it as I forgot an original motivation for writing this. I guess I meant to say connecting to other authorization servers than Keystone might impact on the security level of your OpenStack.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9847a63fae112ff477f42c98ec8d7f7acf0d9388","unresolved":true,"context_lines":[{"line_number":172,"context_line":"* During the OAuth2.0 Client Credentials Grant flow, some sensitive values are"},{"line_number":173,"context_line":"  sent in plain text. Thus, Keystone using this feature must enable HTTPS."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* Check the security requirements of a third-party authorization server"},{"line_number":176,"context_line":"  and do not access vulnerable one."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Notifications Impact"},{"line_number":179,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5b2d7281_93914268","line":176,"range":{"start_line":175,"start_character":0,"end_line":176,"end_character":35},"in_reply_to":"7c0fef4c_092a62c0","updated":"2023-05-19 16:35:29.000000000","message":"That makes so much more sense now. Thanks!","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":210,"context_line":".. note:: If the Openstack services require authorization to an external"},{"line_number":211,"context_line":"   authorization server through Keystone Middleware, the config for each"},{"line_number":212,"context_line":"   service must be changed. This section shows how to set up Tacker as an"},{"line_number":213,"context_line":"   example."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"In order for Keystone Middleware to access the External Authentication Server"},{"line_number":216,"context_line":"for token verification and to obtain metadata, users has to configure Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"965a920b_68159aa4","line":213,"updated":"2023-03-27 19:28:24.000000000","message":"I *think* Ironic would need to add code to it\u0027s middleware loading to support the handoff. Nothing major, just it wouldn\u0027t be purely in configuration.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"9847a63fae112ff477f42c98ec8d7f7acf0d9388","unresolved":true,"context_lines":[{"line_number":210,"context_line":".. note:: If the Openstack services require authorization to an external"},{"line_number":211,"context_line":"   authorization server through Keystone Middleware, the config for each"},{"line_number":212,"context_line":"   service must be changed. This section shows how to set up Tacker as an"},{"line_number":213,"context_line":"   example."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"In order for Keystone Middleware to access the External Authentication Server"},{"line_number":216,"context_line":"for token verification and to obtain metadata, users has to configure Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8484611e_b177ce13","line":213,"in_reply_to":"383ec957_33f98018","updated":"2023-05-19 16:35:29.000000000","message":"For what it is worth, I think it is reasonable, but it is good to just highlight that as a possibility.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bc0e2c4f1a6563485ab71d05541ae7cad0bb2214","unresolved":false,"context_lines":[{"line_number":210,"context_line":".. note:: If the Openstack services require authorization to an external"},{"line_number":211,"context_line":"   authorization server through Keystone Middleware, the config for each"},{"line_number":212,"context_line":"   service must be changed. This section shows how to set up Tacker as an"},{"line_number":213,"context_line":"   example."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"In order for Keystone Middleware to access the External Authentication Server"},{"line_number":216,"context_line":"for token verification and to obtain metadata, users has to configure Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"167472ac_fc348cd6","line":213,"in_reply_to":"7fba922a_2de76a40","updated":"2023-06-02 17:10:20.000000000","message":"Done","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"154f691246af35f0c008b021e8045b9f6711fc49","unresolved":true,"context_lines":[{"line_number":210,"context_line":".. note:: If the Openstack services require authorization to an external"},{"line_number":211,"context_line":"   authorization server through Keystone Middleware, the config for each"},{"line_number":212,"context_line":"   service must be changed. This section shows how to set up Tacker as an"},{"line_number":213,"context_line":"   example."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"In order for Keystone Middleware to access the External Authentication Server"},{"line_number":216,"context_line":"for token verification and to obtain metadata, users has to configure Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7fba922a_2de76a40","line":213,"in_reply_to":"8484611e_b177ce13","updated":"2023-05-30 15:57:41.000000000","message":"I\u0027ve added a warning. A note is inconspicuous, so.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":210,"context_line":".. note:: If the Openstack services require authorization to an external"},{"line_number":211,"context_line":"   authorization server through Keystone Middleware, the config for each"},{"line_number":212,"context_line":"   service must be changed. This section shows how to set up Tacker as an"},{"line_number":213,"context_line":"   example."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"In order for Keystone Middleware to access the External Authentication Server"},{"line_number":216,"context_line":"for token verification and to obtain metadata, users has to configure Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"383ec957_33f98018","line":213,"in_reply_to":"965a920b_68159aa4","updated":"2023-05-16 12:55:37.000000000","message":"I guess so.\nI\u0027ll mention that some OpenStack services might have to change their codes to use this plugin. Getting the similar information that service catalog provides in the different way, for example.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":222,"context_line":"specify the mapping between metadata obtained from External Authorization"},{"line_number":223,"context_line":"Server to OpenStack Services variables. For example, with"},{"line_number":224,"context_line":"``mapping_project_id\u003dtenant_id``, Keystone Middleware retrieves a value with a"},{"line_number":225,"context_line":"key ``tenant_id`` from the metadata and sets that value as an environment"},{"line_number":226,"context_line":"variable ``HTTP_X_PROJECT_ID`` in a request."},{"line_number":227,"context_line":""},{"line_number":228,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"e969ce75_77021aa5","line":225,"range":{"start_line":225,"start_character":26,"end_line":225,"end_character":35},"updated":"2023-03-27 19:28:24.000000000","message":"nit: s/metadata/metadata returned from the authorization server/","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":222,"context_line":"specify the mapping between metadata obtained from External Authorization"},{"line_number":223,"context_line":"Server to OpenStack Services variables. For example, with"},{"line_number":224,"context_line":"``mapping_project_id\u003dtenant_id``, Keystone Middleware retrieves a value with a"},{"line_number":225,"context_line":"key ``tenant_id`` from the metadata and sets that value as an environment"},{"line_number":226,"context_line":"variable ``HTTP_X_PROJECT_ID`` in a request."},{"line_number":227,"context_line":""},{"line_number":228,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"eb4897f3_2642e703","line":225,"range":{"start_line":225,"start_character":26,"end_line":225,"end_character":35},"in_reply_to":"e969ce75_77021aa5","updated":"2023-05-16 12:55:37.000000000","message":"I\u0027ll fix it.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"d4266b6d42e5e9b621fc49053f63e1e6ae6b3e90","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  mapping_user_name\u003dusername"},{"line_number":245,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":246,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":247,"context_line":"  mapping_roles\u003droles"},{"line_number":248,"context_line":"  audience\u003dhttps://\u003ckeycloak_host\u003e:\u003cport\u003e/realms/\u003crealm_name\u003e"},{"line_number":249,"context_line":"  jwt_bearer_time_out\u003d3600"},{"line_number":250,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"}],"source_content_type":"text/x-rst","patch_set":6,"id":"61159dfc_c1567250","line":247,"updated":"2023-03-27 19:28:24.000000000","message":"What about request scope?","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"154f691246af35f0c008b021e8045b9f6711fc49","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  mapping_user_name\u003dusername"},{"line_number":245,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":246,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":247,"context_line":"  mapping_roles\u003droles"},{"line_number":248,"context_line":"  audience\u003dhttps://\u003ckeycloak_host\u003e:\u003cport\u003e/realms/\u003crealm_name\u003e"},{"line_number":249,"context_line":"  jwt_bearer_time_out\u003d3600"},{"line_number":250,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ecc704b3_fc4bd5b0","line":247,"in_reply_to":"1974f242_4faff9b0","updated":"2023-05-30 15:57:41.000000000","message":"Make sense for me. Thanks.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8c61d22828ec15bf14eb288cf776953d940eb0b1","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  mapping_user_name\u003dusername"},{"line_number":245,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":246,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":247,"context_line":"  mapping_roles\u003droles"},{"line_number":248,"context_line":"  audience\u003dhttps://\u003ckeycloak_host\u003e:\u003cport\u003e/realms/\u003crealm_name\u003e"},{"line_number":249,"context_line":"  jwt_bearer_time_out\u003d3600"},{"line_number":250,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c2b9c4ae_43f2cb6d","line":247,"in_reply_to":"61159dfc_c1567250","updated":"2023-05-16 12:55:37.000000000","message":"According to the discussion on the PTG, we\u0027ll add two kinds of scope \"system scope\" and \"project scope\" which is already implemented.\nLet me confirm. Does \"system scope\" mean a token is not bound to any tenants, i.e., it behaves like admin role?","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ccc4d58956d4a053c40845c30cd2adc856d6ea6b","unresolved":true,"context_lines":[{"line_number":244,"context_line":"  mapping_user_name\u003dusername"},{"line_number":245,"context_line":"  mapping_user_domain_id\u003ddomain_id"},{"line_number":246,"context_line":"  mapping_user_domain_name\u003ddomain_name"},{"line_number":247,"context_line":"  mapping_roles\u003droles"},{"line_number":248,"context_line":"  audience\u003dhttps://\u003ckeycloak_host\u003e:\u003cport\u003e/realms/\u003crealm_name\u003e"},{"line_number":249,"context_line":"  jwt_bearer_time_out\u003d3600"},{"line_number":250,"context_line":"  # In the case where mTLS OAuth2.0 is used, the following variables also have to be set"}],"source_content_type":"text/x-rst","patch_set":6,"id":"1974f242_4faff9b0","line":247,"in_reply_to":"c2b9c4ae_43f2cb6d","updated":"2023-05-19 13:50:39.000000000","message":"Yes, system scope is \"interaction with the system, as in openstack services outside the scope of any tenants. For example, If I wanted to administrate the various tenants, I would do it as a system scoped user. In ironic, hardware which is not marked with an owner is \"owned\" by the system itself. Most openstack projects have realized they don\u0027t operate at a level where system scope makes a ton of sense, but some do and it remains applicable.","commit_id":"8c0b79dabc4dd40fdb51e843f777a252eb6f5e8d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b63dce42a50fad208546b2839ed0c6eb959d637a","unresolved":true,"context_lines":[{"line_number":8,"context_line":"External OAuth2.0 Authorization Server Support"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Provides a capability for the third-party Clients authenticated by an"},{"line_number":12,"context_line":"External Authorization Server via the Client Credentials"},{"line_number":13,"context_line":"Grant in `RFC6749 OAuth 2.0 Authorization Framework` [#oauth2_specification]_"},{"line_number":14,"context_line":"to access the protected OpenStack service directly."}],"source_content_type":"text/x-rst","patch_set":9,"id":"d40f0019_7dfbe40b","line":11,"updated":"2023-06-13 04:55:28.000000000","message":"I don\u0027t think it matters for the purposes of this spec how the client authenticated itself to the external authorization server. I think a better and more simple summary of this spec is:\n\nImplements support for Keystonemiddleware to use OAuth 2.0 Token Introspection (RFC 7662) to validate tokens with an external authorization server.","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b63dce42a50fad208546b2839ed0c6eb959d637a","unresolved":true,"context_lines":[{"line_number":92,"context_line":"    Client; AuthServer [label \u003d \"External\\nAuthorization\\nServer\"]; \"Keystone Middleware\"; \"OpenStack Service\";"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"    Client -\u003e AuthServer"},{"line_number":95,"context_line":"    [label \u003d \"POST\\n /external-authz-server/token\\n with client credentials for the Client\"];"},{"line_number":96,"context_line":"    Client \u003c-- AuthServer"},{"line_number":97,"context_line":"    [label \u003d \"Response 200 OK\\n with Access Token\"];"},{"line_number":98,"context_line":"    Client -\u003e \"Keystone Middleware\""}],"source_content_type":"text/x-rst","patch_set":9,"id":"feaaee85_3e5227f0","line":95,"updated":"2023-06-13 04:55:28.000000000","message":"I don\u0027t think this spec should concern itself with how the user authenticates with the external authorization server.","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bc0e2c4f1a6563485ab71d05541ae7cad0bb2214","unresolved":false,"context_lines":[{"line_number":164,"context_line":"  OAuth2.0 doesn\u0027t support users who are associated with multiple tenants like"},{"line_number":165,"context_line":"  the project of OpenStack. Therefore, this feature assumes that users"},{"line_number":166,"context_line":"  registered on an external authorization server are associated only with a"},{"line_number":167,"context_line":"  single tenant (e.g., realms in Keycloack)."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":".. note::"},{"line_number":170,"context_line":"  This feature only support the authorization servers that can provide enough"}],"source_content_type":"text/x-rst","patch_set":9,"id":"a32fa25c_b00e3d63","line":167,"updated":"2023-06-02 17:10:20.000000000","message":"Good addition. Thanks!","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bc0e2c4f1a6563485ab71d05541ae7cad0bb2214","unresolved":true,"context_lines":[{"line_number":170,"context_line":"  This feature only support the authorization servers that can provide enough"},{"line_number":171,"context_line":"  information for OpenStack services to work correctly. At least,"},{"line_number":172,"context_line":"  ``user_role``, ``project`` and ``user_domain`` should be included in the"},{"line_number":173,"context_line":"  metadata of token introspection."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Alternatives"},{"line_number":176,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"df4bf6c2_6f0de119","line":173,"updated":"2023-06-02 17:10:20.000000000","message":"Overall yes, Roles also need to be supplied.","commit_id":"4dd8dfab34863240bd31d8ec70b5f0d33fa58524"}]}