Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

OIDC token bearer from IdP and Keystone local mapping

Hi, since what I know with the last OpenStack release is possible to authenticate via CLI to openstack providing a valid OIDC token from an existing IdP. I think it works correctly, but now my question is:

would be possible to map the OIDC token user to a local username using the email included in the OIDC token?

I mean: the user OIDC token in JWS format include issuer, email and user basic attributes. The OIDC token is validated by Keystone using the esternal IdP introspection endpoint, than the authenticated user is mapped locally by Keystone on the local username using the email attribute. Would this be possible using Keystone JSON rules? If this worked in the past this was not completely clear to me.

BR Michele