Ask Your Question

HTTP 403 in Keystone /v3/users

asked 2016-11-02 12:36:42 -0500

RichArt gravatar image

updated 2016-11-09 08:11:09 -0500

I am developing my own OpenStack project in Python.

I first get the security token from the Identity API /v3/auth/tokens.

Then, when calling the (Identity API /v3/users), with the token I got from the previous request, I get a 403 error.

I always use the admin user. The token is the X-Subject-Token and looks like this:


This is the error from /v3/users:

{"error": {"message": "You are not authorized to perform the requested action: identity:list_users", "code": 403, "title": "Forbidden"}}

It works only if I change the line

"identity:list_users": "rule:admin_required"

int the file /etc/keystone/policy.json to:

"identity:list_users": ""

But I think this is not the right way.

Anybody some idea what the problem could be?

Update Nov. 9, 2017:

This is how I authenticate: Password authentication with unscoped authorization

url = 'http://openstack-controller:35357/v3/auth/tokens'
payload = {
    "auth": {
        "identity": {
            "methods": [
            "password": {
                "user": {
                    "name": "admin",
                    "domain": {
                        "name": "default"
                    "password": "PASSWORD"
r =, data=json.dumps(payload))
edit retag flag offensive close merge delete



How do you authenticate, can you provide details? You need to provide the Default domain and/or the admin project. Details at

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-08 17:39:41 -0500 )edit

You use "domain" : { "name": "default" }. I think the name is actually Default (capitalized), or you could use "id": "default".

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-09 21:31:46 -0500 )edit

The first curl gives a 400 error: Expecting to find identity in auth - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. I guess it is a bit outdated.

RichArt gravatar imageRichArt ( 2016-11-10 14:41:17 -0500 )edit

I think this is the current request structure: But still, the problem is: How do I get the project ID? Initially I only have user/pw

RichArt gravatar imageRichArt ( 2016-11-10 14:43:01 -0500 )edit

You can also use the project name. See the link I posted in the first comment.

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-10 20:55:50 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-11-08 11:58:39 -0500

volenbovsky gravatar image

Hi, maybe that is scoped vs. unscoped token. Basically in case your user doesn't have default domain defined, there is chance that you got unscoped token. One of way of checking whether you have scoped or unscoped is via response that you get on your POST to tokens or using HTTP GET on /v3/auth/tokens. I think you should have (assuming that you are not using something more complicated domain-wise) "domain": { "id": "default", "name": "Default" or project information

edit flag offensive delete link more


So, should I do a scoped authentication? I thought that if I did an unscoped authentication then I could access to everything.

RichArt gravatar imageRichArt ( 2016-11-09 08:13:29 -0500 )edit

Hi, no with unscoped token you actually ca not do anything. See (

volenbovsky gravatar imagevolenbovsky ( 2016-11-09 09:14:43 -0500 )edit

OK, this seams to be the solution. But If I have an unscoped token, how can i get the list of projects? I mean, I need a scoped token to get a list of projects. But on the other side I need a project ID to get the scoped token.

RichArt gravatar imageRichArt ( 2016-11-10 07:58:32 -0500 )edit

See above comment of Bernd, try to use default or Default as domain ID/domain name respectively

volenbovsky gravatar imagevolenbovsky ( 2016-11-10 12:15:37 -0500 )edit

It seams that Default or default doesn't make any difference. Initially I only have username and password. And I need a token to access the Nova API. But as I understood I need the domain or project ID to get a scoped token. But where do I get those IDs?

RichArt gravatar imageRichArt ( 2016-11-10 14:48:08 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-11-02 12:36:42 -0500

Seen: 4,562 times

Last updated: Nov 09 '16