)]}'
{"id":"openstack%2Fkeystoneauth~692140","triplet_id":"openstack%2Fkeystoneauth~master~Ie16831d1f002d879eb115356e4741959557068ae","project":"openstack/keystoneauth","branch":"master","topic":"bug/1850226","hashtags":[],"change_id":"Ie16831d1f002d879eb115356e4741959557068ae","subject":"Fixes OIDC authentication with multiple IdPs","status":"ABANDONED","created":"2019-10-30 13:33:07.000000000","updated":"2019-11-12 13:02:27.000000000","total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"cd2ecd90a0527145d0663f5c08d3411d4e2818d1","_number":692140,"virtual_id_number":692140,"owner":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"actions":{},"labels":{"Verified":{"disliked":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":-1,"date":"2019-11-06 19:22:11.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":-1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},{"value":0,"permitted_voting_range":{"min":-1,"max":0},"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2019-10-31 18:42:30.000000000","updated_by":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"reviewer":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"state":"REVIEWER"},{"updated":"2019-11-04 19:33:44.000000000","updated_by":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"reviewer":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"state":"REVIEWER"},{"updated":"2019-11-06 19:22:11.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"b814419ad273a6a9ab3e71e37999e3410f360ac6","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-10-30 13:33:07.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"9928b82e442da1067fe3ea3d831e43655a4e036f","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-10-30 15:19:12.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\n\n- tempest-full https://zuul.opendev.org/t/openstack/build/ff867daba18b481c9ea73f3e9e6f2508 : SUCCESS in 1h 40m 01s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/c89701ddf1b44c66a036d37440761c2d : SUCCESS in 1h 32m 37s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/c2eae6942d354d8f933bda43d59270e1 : SUCCESS in 5m 42s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/3a6dbf626632474dbc06de71db2f8e11 : SUCCESS in 4m 05s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/b15e0dc9dc214129a5641aeaaa9ac6b0 : SUCCESS in 3m 14s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/74681c5c81fa49cead18994a0c67bcfb : SUCCESS in 3m 27s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/1d7fb4e4597b4fcc896c7e44264646e7 : SUCCESS in 5m 25s\n- openstacksdk-functional-devstack-tips https://zuul.opendev.org/t/openstack/build/9769fab2a5794e0b93fe1bbec59d2a11 : SUCCESS in 52m 46s\n- openstacksdk-functional-devstack-tips-python2 https://zuul.opendev.org/t/openstack/build/baf5ad40d4324b2fade77f29ec53e245 : SUCCESS in 57m 10s\n- openstacksdk-tox-py36-tips https://zuul.opendev.org/t/openstack/build/f595db04bc5c4db2b8baa724bd9821df : SUCCESS in 4m 07s\n- osc-tox-py27-tips https://zuul.opendev.org/t/openstack/build/db4c133bbc0841afa39b812e1fcb3bc2 : SUCCESS in 4m 20s\n- osc-tox-py36-tips https://zuul.opendev.org/t/openstack/build/992d992b616247a89730527d097b9549 : SUCCESS in 4m 26s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/531b1b53e7d44326a8305866ca7fb5e7 : SUCCESS in 6m 31s","accounts_in_message":[],"_revision_number":1},{"id":"87959257edff71171ce2cd016ea9d7703e5b2f35","author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"date":"2019-10-31 18:42:30.000000000","message":"Patch Set 1: Code-Review+1","accounts_in_message":[],"_revision_number":1},{"id":"715871167255749457ac46c03b82bb0e16756dc0","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-11-01 16:16:40.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"e13f4cf13aa2da6cbf686bbc6f78c28021e11dfb","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-01 17:45:58.000000000","message":"Patch Set 2: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttp://docs.openstack.org/infra/manual/developers.html#automated-testing\n\n\n- tempest-full https://zuul.opendev.org/t/openstack/build/d6f289f6a48545d69e00b5121cf6daef : SUCCESS in 1h 26m 06s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/335fb11fefe844ecb0b846de051fdaf3 : SUCCESS in 1h 14m 43s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/9ac81b0dc4f540ff8676f33f9d3f3f22 : SUCCESS in 5m 27s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/40806f932da24ba59e666ab621793da4 : SUCCESS in 3m 16s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/f6c2e4828c2147b1875c8acaa52000ad : SUCCESS in 4m 23s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/a90378e459ce45afadc18eefcc8ee0e7 : SUCCESS in 4m 34s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/f6682146882a4b8e96555607244e28fb : SUCCESS in 3m 50s\n- openstacksdk-functional-devstack-tips https://zuul.opendev.org/t/openstack/build/b93cdc743797430fbb96c150ca4cfadf : POST_FAILURE in 36m 21s\n- openstacksdk-functional-devstack-tips-python2 https://zuul.opendev.org/t/openstack/build/c8dfdb63653344299f2828333e24a325 : SUCCESS in 1h 23m 14s\n- openstacksdk-tox-py36-tips https://zuul.opendev.org/t/openstack/build/3f685f5aa04f470e9b70a294fd62d088 : SUCCESS in 4m 26s\n- osc-tox-py27-tips https://zuul.opendev.org/t/openstack/build/0436e8db63aa4ca490fa7eee0eaec53f : SUCCESS in 4m 07s\n- osc-tox-py36-tips https://zuul.opendev.org/t/openstack/build/bbcea5430319442cafda9687c07e1da0 : SUCCESS in 6m 55s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/9b244f546664456b89f6fc2928050db6 : SUCCESS in 5m 12s","accounts_in_message":[],"_revision_number":2},{"id":"8bc8e487f919d2f4a2f58fc5013749c810bb6d87","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-11-01 18:05:32.000000000","message":"Patch Set 2:\n\nrecheck","accounts_in_message":[],"_revision_number":2},{"id":"e0fe45e45dcfc703f49dff2b54fa4a4b78225450","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-01 19:53:45.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\n\n- tempest-full https://zuul.opendev.org/t/openstack/build/497bd4a3e5b345c499be02b3c8b3c19f : SUCCESS in 1h 46m 27s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/542871f914ae48f8b04e9ff485c3c345 : SUCCESS in 1h 12m 36s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/5cea4bcb35ba4498901eb8031bb5211f : SUCCESS in 4m 51s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/3b9944e5ff16426497ffa8ed2c364b9b : SUCCESS in 3m 26s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/95e9df31b64d46aa945facde63697934 : SUCCESS in 3m 54s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/b6d2d428cbbb469499f6c714149c7bc0 : SUCCESS in 3m 18s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/677e15213be845208b2a6a96a37c587f : SUCCESS in 4m 08s\n- openstacksdk-functional-devstack-tips https://zuul.opendev.org/t/openstack/build/b26856417bda467f9ffb6f9bfbeb8491 : SUCCESS in 55m 59s\n- openstacksdk-functional-devstack-tips-python2 https://zuul.opendev.org/t/openstack/build/f0c72ad67aed4581b11203cc64accb01 : SUCCESS in 59m 35s\n- openstacksdk-tox-py36-tips https://zuul.opendev.org/t/openstack/build/d4de49add8e3425f9c3c02099815ceb7 : SUCCESS in 4m 09s\n- osc-tox-py27-tips https://zuul.opendev.org/t/openstack/build/2a164757dec64a6ead41993ef280df8f : SUCCESS in 4m 02s\n- osc-tox-py36-tips https://zuul.opendev.org/t/openstack/build/a2dfba7175524e058a3eda65c70813d7 : SUCCESS in 4m 22s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/39416f963c3c4204ac03bc196a0e73ec : SUCCESS in 6m 16s","accounts_in_message":[],"_revision_number":2},{"id":"e7635f67848366ff92ca9e3dfe0d9a2b03f6c166","author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"date":"2019-11-04 19:33:44.000000000","message":"Patch Set 2:\n\nwell, I would say that we\u0027re missing some unit tests to make sure we\u0027re doing the proper OIDC auth on it.","accounts_in_message":[],"_revision_number":2},{"id":"20dbae0c777f335d5998efca2fbb2942782f1897","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-11-06 14:43:35.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"80f1114bd27cd642f72d668705681ef01f39f189","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-06 16:17:50.000000000","message":"Patch Set 3: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttp://docs.openstack.org/infra/manual/developers.html#automated-testing\n\n\n- tempest-full https://zuul.opendev.org/t/openstack/build/0694e760156f42f29b8b23daade495bf : SUCCESS in 1h 33m 40s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/689297ac9efd4f4ca87a1ed311aebb17 : SUCCESS in 1h 32m 04s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/0a9bb8d30ee4428da35b1725be8886f0 : SUCCESS in 4m 34s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/d2b24bbbfad24d38aeeec17f3e05d0d9 : SUCCESS in 3m 44s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/c158c015651849d2b5e026639374828d : SUCCESS in 3m 24s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/56b913dcdf8e4041aef2e1edcb502d8b : SUCCESS in 4m 05s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/6b4fa1b2a2b246fdb18d2934ab3d689d : SUCCESS in 3m 53s\n- openstacksdk-functional-devstack-tips https://zuul.opendev.org/t/openstack/build/4b8d3a3b400a428189be1e2f10dcc5d6 : FAILURE in 58m 38s\n- openstacksdk-functional-devstack-tips-python2 https://zuul.opendev.org/t/openstack/build/a33784984bbf4ac78236378a04b88841 : FAILURE in 1h 00m 13s\n- openstacksdk-tox-py36-tips https://zuul.opendev.org/t/openstack/build/24d9938688a64cf49454b40a12a241b7 : SUCCESS in 4m 54s\n- osc-tox-py27-tips https://zuul.opendev.org/t/openstack/build/4068c7d5cb734dc89dd5b5fb1a411283 : SUCCESS in 4m 47s\n- osc-tox-py36-tips https://zuul.opendev.org/t/openstack/build/1665a3eddca64ba39e422dcec18a15ee : SUCCESS in 4m 22s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/a6e2ce92f7ee4926a3cfd8731ec12a45 : SUCCESS in 5m 05s","accounts_in_message":[],"_revision_number":3},{"id":"b27be13954489c36b06e9f737d23f8defe420017","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-11-06 17:29:33.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"bc227eaff28cfae5a0da678983d3b16b5ee80aa1","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2019-11-06 19:22:11.000000000","message":"Patch Set 4: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttp://docs.openstack.org/infra/manual/developers.html#automated-testing\n\n\n- tempest-full https://zuul.opendev.org/t/openstack/build/55f4009b35bf4f349cfcc92aa8d5c05a : SUCCESS in 1h 45m 13s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/98486ec3c97347e3bb9e82eb60b0b339 : SUCCESS in 1h 14m 00s\n- openstack-tox-lower-constraints https://zuul.opendev.org/t/openstack/build/09917f5ce36047a7afc28e30d3f48807 : SUCCESS in 5m 20s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/b255bbbf9c4c4e85a139dfc8a722a04f : SUCCESS in 3m 45s\n- openstack-tox-py27 https://zuul.opendev.org/t/openstack/build/49f54eef1aef424ea3bd41d22bd84708 : SUCCESS in 4m 18s\n- openstack-tox-py36 https://zuul.opendev.org/t/openstack/build/1461d78d8fdc4b2c9f8e993967633fed : SUCCESS in 3m 52s\n- openstack-tox-py37 https://zuul.opendev.org/t/openstack/build/ff105d43847e4a69b52ce05adf8bce66 : SUCCESS in 5m 02s\n- openstacksdk-functional-devstack-tips https://zuul.opendev.org/t/openstack/build/7c28e7669db245c29c110aa51cf7e3f4 : FAILURE in 55m 23s\n- openstacksdk-functional-devstack-tips-python2 https://zuul.opendev.org/t/openstack/build/7c9bf4bedc824207a44328630f3cddb3 : FAILURE in 1h 19m 45s\n- openstacksdk-tox-py36-tips https://zuul.opendev.org/t/openstack/build/032ff85ac09943739aa2b2aa0f7bcf3e : SUCCESS in 4m 55s\n- osc-tox-py27-tips https://zuul.opendev.org/t/openstack/build/25053c6ab3b6446bbd7322f3e527f31a : SUCCESS in 4m 44s\n- osc-tox-py36-tips https://zuul.opendev.org/t/openstack/build/341ccd793446475795e60e53383a9cc5 : SUCCESS in 4m 19s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/25d42a26e417473bb3ccd99b16fa8481 : SUCCESS in 5m 24s","accounts_in_message":[],"_revision_number":4},{"id":"3555280e650d7c95e4d72b2a24ad79c3a8f1493b","author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"date":"2019-11-12 13:02:27.000000000","message":"Abandoned\n\nThe https://review.opendev.org/#/c/693838/1/ solves de problem","accounts_in_message":[],"_revision_number":4}],"current_revision_number":4,"current_revision":"348495f44f0fbc44da2ca1a503e4b9baf22f6f56","revisions":{"476d4edaf59aa24ce953ecb5f3e81cffa106a0a7":{"kind":"REWORK","_number":1,"created":"2019-10-30 13:33:07.000000000","uploader":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"ref":"refs/changes/40/692140/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystoneauth","ref":"refs/changes/40/692140/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/1"}}},"commit":{"parents":[{"commit":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","subject":"Merge \"Fetch discovery documents with auth when needed\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/de53f90bf93376f0259f9579d8cf8aac3bdb05da"}]}],"author":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-10-27 01:58:48.000000000","tz":-180},"committer":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-10-30 13:01:21.000000000","tz":-180},"subject":"Fixes OIDC authentication with multiple IdPs","message":"Fixes OIDC authentication with multiple IdPs\n\nProblem description\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nWhen we try to use the OpenStack CLI with the OpenId Connect protocol\n(in an environment with multiple IdPs) to enable federated users to\nlogin, we get an error from the CLI while generating the Keystone\nsubject token (not the OIDC access token).\n\nThe error happens because when the keystoneauth lib calls the Keystone\nWSGI (the OIDC proxy)  to generate an auth token,  it expects an auth\ntoken as the response, but it gets an HTML document response. A page for\nthe user choose which IdP he/she desires to use/ in other words, the CLI\nreceives the discovery page HTML .\n\nThe actual v3oidcpassword plugin authentication flow is basically :\n - The keystoneauth retrieves the credentials from the configs, like\nclient id, client secret, IdP token URL, user name, password. It\n(Keystoneauth) uses these data to generate an access_token in the IdP;\n - Pass this access_token to Keystone to retrieve a subject_token;\n - Use this subject_token to then generate the authentication_token for\nthe specified user\u0027s groups and domains.\n\nThe problem is that in a federation with many IdPs, the Keystone WSGI\nprotected endpoint needs more information than just the access_token, it\nneeds to know which IdP the user wants to use.\n\nProposal\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nI propose to change the v3oidc authentication flow to handle multiple\nIdPs federations.\n\nThen the new v3oidc plugin authentication flow will be :\n - The keystoneauth requests to Keystone WSGI a session to generate a\nsubject_token for a specific issuer (define in the OpenStack CLI\nenvironment variables);\n - Keystone WSGI return a session cookie, a state, and a nonce value;\n - Keystoneauth will then generate an access_token in the IdP using the\ncredentials plus the nonce value;\n - Then the keystoneauth library will send the access_token and the\nstate value to the Keystone WSGI and it will return the subject_token to\nbe used in the rest of the authentication flow\n\nChange-Id: Ie16831d1f002d879eb115356e4741959557068ae\nCloses-Bug: #1850226\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/476d4edaf59aa24ce953ecb5f3e81cffa106a0a7"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/476d4edaf59aa24ce953ecb5f3e81cffa106a0a7"}]},"parents_data":[{"branch_name":"refs/heads/master","commit_id":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","is_merged_in_target_branch":true}],"branch":"refs/heads/master"},"f4d0e953ce9496aa65d4cbd20eb15bdf8bcb70c6":{"kind":"REWORK","_number":2,"created":"2019-11-01 16:16:40.000000000","uploader":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"ref":"refs/changes/40/692140/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystoneauth","ref":"refs/changes/40/692140/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/2"}}},"commit":{"parents":[{"commit":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","subject":"Merge \"Fetch discovery documents with auth when needed\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/de53f90bf93376f0259f9579d8cf8aac3bdb05da"}]}],"author":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-10-27 01:58:48.000000000","tz":-180},"committer":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-11-01 16:14:10.000000000","tz":-180},"subject":"Fixes OIDC authentication with multiple IdPs","message":"Fixes OIDC authentication with multiple IdPs\n\nProblem description\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nWhen we try to use the OpenStack CLI with the OpenId Connect protocol\n(in an environment with multiple IdPs) to enable federated users to\nlogin, we get an error from the CLI while generating the Keystone\nsubject token (not the OIDC access token).\n\nThe error happens because when the keystoneauth lib calls the Keystone\nWSGI (the OIDC proxy)  to generate an auth token,  it expects an auth\ntoken as the response, but it gets an HTML document response. A page for\nthe user choose which IdP he/she desires to use/ in other words, the CLI\nreceives the discovery page HTML .\n\nThe actual v3oidcpassword plugin authentication flow is basically :\n - The keystoneauth retrieves the credentials from the configs, like\nclient id, client secret, IdP token URL, user name, password. It\n(Keystoneauth) uses these data to generate an access_token in the IdP;\n - Pass this access_token to Keystone to retrieve a subject_token;\n - Use this subject_token to then generate the authentication_token for\nthe specified user\u0027s groups and domains.\n\nThe problem is that in a federation with many IdPs, the Keystone WSGI\nprotected endpoint needs more information than just the access_token, it\nneeds to know which IdP the user wants to use.\n\nProposal\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nI propose to change the v3oidc authentication flow to handle multiple\nIdPs federations.\n\nThen the new v3oidc plugin authentication flow will be :\n - The keystoneauth requests to Keystone WSGI a session to generate a\nsubject_token for a specific issuer (define in the OpenStack CLI\nenvironment variables);\n - Keystone WSGI return a session cookie, a state, and a nonce value;\n - Keystoneauth will then generate an access_token in the IdP using the\ncredentials plus the nonce value;\n - Then the keystoneauth library will send the access_token and the\nstate value to the Keystone WSGI and it will return the subject_token to\nbe used in the rest of the authentication flow\n\nCloses-Bug: #1850226\nChange-Id: Ie16831d1f002d879eb115356e4741959557068ae\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/f4d0e953ce9496aa65d4cbd20eb15bdf8bcb70c6"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/f4d0e953ce9496aa65d4cbd20eb15bdf8bcb70c6"}]},"parents_data":[{"branch_name":"refs/heads/master","commit_id":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","is_merged_in_target_branch":true}],"branch":"refs/heads/master"},"a9e79823bdcb565e028ee66514ae1887fad03fff":{"kind":"REWORK","_number":3,"created":"2019-11-06 14:43:35.000000000","uploader":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"ref":"refs/changes/40/692140/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystoneauth","ref":"refs/changes/40/692140/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/3"}}},"commit":{"parents":[{"commit":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","subject":"Merge \"Fetch discovery documents with auth when needed\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/de53f90bf93376f0259f9579d8cf8aac3bdb05da"}]}],"author":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-10-27 01:58:48.000000000","tz":-180},"committer":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-11-06 14:42:57.000000000","tz":-180},"subject":"Fixes OIDC authentication with multiple IdPs","message":"Fixes OIDC authentication with multiple IdPs\n\nProblem description\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nWhen we try to use the OpenStack CLI with the OpenId Connect protocol\n(in an environment with multiple IdPs) to enable federated users to\nlogin, we get an error from the CLI while generating the Keystone\nsubject token (not the OIDC access token).\n\nThe error happens because when the keystoneauth lib calls the Keystone\nWSGI (the OIDC proxy)  to generate an auth token,  it expects an auth\ntoken as the response, but it gets an HTML document response. A page for\nthe user choose which IdP he/she desires to use/ in other words, the CLI\nreceives the discovery page HTML .\n\nThe actual v3oidcpassword plugin authentication flow is basically :\n - The keystoneauth retrieves the credentials from the configs, like\nclient id, client secret, IdP token URL, user name, password. It\n(Keystoneauth) uses these data to generate an access_token in the IdP;\n - Pass this access_token to Keystone to retrieve a subject_token;\n - Use this subject_token to then generate the authentication_token for\nthe specified user\u0027s groups and domains.\n\nThe problem is that in a federation with many IdPs, the Keystone WSGI\nprotected endpoint needs more information than just the access_token, it\nneeds to know which IdP the user wants to use.\n\nProposal\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nI propose to change the v3oidc authentication flow to handle multiple\nIdPs federations.\n\nThen the new v3oidc plugin authentication flow will be :\n - The keystoneauth requests to Keystone WSGI a session to generate a\nsubject_token for a specific issuer (define in the OpenStack CLI\nenvironment variables);\n - Keystone WSGI return a session cookie, a state, and a nonce value;\n - Keystoneauth will then generate an access_token in the IdP using the\ncredentials plus the nonce value;\n - Then the keystoneauth library will send the access_token and the\nstate value to the Keystone WSGI and it will return the subject_token to\nbe used in the rest of the authentication flow\n\nCloses-Bug: #1850226\nChange-Id: Ie16831d1f002d879eb115356e4741959557068ae\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/a9e79823bdcb565e028ee66514ae1887fad03fff"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/a9e79823bdcb565e028ee66514ae1887fad03fff"}]},"parents_data":[{"branch_name":"refs/heads/master","commit_id":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","is_merged_in_target_branch":true}],"branch":"refs/heads/master"},"348495f44f0fbc44da2ca1a503e4b9baf22f6f56":{"kind":"REWORK","_number":4,"created":"2019-11-06 17:29:33.000000000","uploader":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"ref":"refs/changes/40/692140/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystoneauth","ref":"refs/changes/40/692140/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystoneauth refs/changes/40/692140/4"}}},"commit":{"parents":[{"commit":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","subject":"Merge \"Fetch discovery documents with auth when needed\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/de53f90bf93376f0259f9579d8cf8aac3bdb05da"}]}],"author":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-10-27 01:58:48.000000000","tz":-180},"committer":{"name":"pedro","email":"phpm13@gmail.com","date":"2019-11-06 17:29:03.000000000","tz":-180},"subject":"Fixes OIDC authentication with multiple IdPs","message":"Fixes OIDC authentication with multiple IdPs\n\nProblem description\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nWhen we try to use the OpenStack CLI with the OpenId Connect protocol\n(in an environment with multiple IdPs) to enable federated users to\nlogin, we get an error from the CLI while generating the Keystone\nsubject token (not the OIDC access token).\n\nThe error happens because when the keystoneauth lib calls the Keystone\nWSGI (the OIDC proxy)  to generate an auth token,  it expects an auth\ntoken as the response, but it gets an HTML document response. A page for\nthe user choose which IdP he/she desires to use/ in other words, the CLI\nreceives the discovery page HTML .\n\nThe actual v3oidcpassword plugin authentication flow is basically :\n - The keystoneauth retrieves the credentials from the configs, like\nclient id, client secret, IdP token URL, user name, password. It\n(Keystoneauth) uses these data to generate an access_token in the IdP;\n - Pass this access_token to Keystone to retrieve a subject_token;\n - Use this subject_token to then generate the authentication_token for\nthe specified user\u0027s groups and domains.\n\nThe problem is that in a federation with many IdPs, the Keystone WSGI\nprotected endpoint needs more information than just the access_token, it\nneeds to know which IdP the user wants to use.\n\nProposal\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nI propose to change the v3oidc authentication flow to handle multiple\nIdPs federations.\n\nThen the new v3oidc plugin authentication flow will be :\n - The keystoneauth requests to Keystone WSGI a session to generate a\nsubject_token for a specific issuer (define in the OpenStack CLI\nenvironment variables);\n - Keystone WSGI return a session cookie, a state, and a nonce value;\n - Keystoneauth will then generate an access_token in the IdP using the\ncredentials plus the nonce value;\n - Then the keystoneauth library will send the access_token and the\nstate value to the Keystone WSGI and it will return the subject_token to\nbe used in the rest of the authentication flow\n\nCloses-Bug: #1850226\nChange-Id: Ie16831d1f002d879eb115356e4741959557068ae\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/348495f44f0fbc44da2ca1a503e4b9baf22f6f56"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystoneauth/commit/348495f44f0fbc44da2ca1a503e4b9baf22f6f56"}]},"parents_data":[{"branch_name":"refs/heads/master","commit_id":"de53f90bf93376f0259f9579d8cf8aac3bdb05da","is_merged_in_target_branch":true}],"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}