Implement OTP in Keystone -- How-To

asked 2014-12-06 06:25:03 -0600

New-stack gravatar image

updated 2014-12-06 07:34:30 -0600

hi people, i want implement in my test environment (juno) the 2FA with OTP

How to i add a plugin for keystone to do this?

Can i find a working plugin somewhere?

Thank's all

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2018-04-30 14:08:47 -0600

ouss gravatar image

but how can i INTEGRATE 2 authentication factors, in openstack using RCDevs Security Solutions?

edit flag offensive delete link more


not by digging up a 4 year old question anyway

rduncan-t gravatar imagerduncan-t ( 2018-05-02 06:33:05 -0600 )edit

answered 2014-12-07 18:45:49 -0600

updated 2014-12-10 14:55:19 -0600

You can refer to

Keystone is in the process of finalizing OTP. Most probably it will be available in kilo release ( next release)

Update 1:

None of the services require any change. All the services operate on token and the roles assoicated with token. As long as you pass a valid token to the service, it will work. It doesn't matter how you got the token.

Pluggin is just an implementation of a interface. Look at Pasword auth at . Similarly you need to add one more class say OTPAuth and override the authenticate method to validate the OTP.

Next step is to register your class in the configuration file. Check the following line:

Similarly you need to register your OTP class there

edit flag offensive delete link more


Can you tell me more about the implementation process please? I need to verify that the endpoint are v3 and not v2, after i should add a plugin...but this plugin, how can i add in my environment and what it should do? and...

New-stack gravatar imageNew-stack ( 2014-12-08 05:57:34 -0600 )edit

... The request in Horizon to authenticate with name/password and otp value, is it implemented in this plugin?


New-stack gravatar imageNew-stack ( 2014-12-08 05:58:05 -0600 )edit

The pluggin should be in keystone. We currently have pluggins for password, saml, oath authentication. Similarly you need to add one for OTP. Check this out

Haneef Ali gravatar imageHaneef Ali ( 2014-12-08 10:41:52 -0600 )edit

Thanks Haneef Ali,

i not have experience about the plugin writing but this isn't a problem: for me this is a new challenge.

Please,and i underline please: Can you illustrate me how to implement a plugin? Which are knowledge required (except python) to do a simple (t)otp plugin?

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:14 -0600 )edit

I suppose that this implementation is needed to public endpoint but for the other? I think that also all service like glance, neutron need of a otp...but this may be a complication (i want to do this, to my thesis and my knowledge)

What's you think about?

Thanks for your support

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:47 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-12-06 06:25:03 -0600

Seen: 1,301 times

Last updated: Apr 30 '18