Ask Your Question

OIDC token bearer from IdP and Keystone local mapping

asked 2020-05-05 02:36:55 -0500

mcarpene gravatar image

Hi, since what I know with the last OpenStack release is possible to authenticate via CLI to openstack providing a valid OIDC token from an existing IdP. I think it works correctly, but now my question is:

would be possible to map the OIDC token user to a local username using the email included in the OIDC token?

I mean: the user OIDC token in JWS format include issuer, email and user basic attributes. The OIDC token is validated by Keystone using the esternal IdP introspection endpoint, than the authenticated user is mapped locally by Keystone on the local username using the email attribute. Would this be possible using Keystone JSON rules? If this worked in the past this was not completely clear to me.

BR Michele

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2020-05-11 08:15:22 -0500

srelf gravatar image

This is possible. You need to use a mappings file (

A super simple mapping file

[ {
            "local": [
                    "user": {
                        "name": "{0}",
                        "email": "{0}"
                    "groups": "{1}",
                    "domain": {
                      "id" : "default"
            "remote": [
                    "type": "OIDC-email"
                    "type": "OIDC-groups"

This maps a user name and email to OIDC-EMAIL and then maps any groups passed in the token to match against groups ni openstack, and links that user to that group.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2020-05-05 02:36:55 -0500

Seen: 133 times

Last updated: May 11 '20