Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Does Keystone (Kilo) support authorization code flow for Federation using open id connect protocol

We are using Keycloak as our Identity Provider (IDP) and want to configure Keystone as the Relying party using the open id connect protocol. Keycloak, currently, only support authorization code flow and not implicit flow (id_token) which is shown in your documentation:

We used devstack to stand up an instance of openstack using Kilo version and followed the steps detailed here:

Our apache site file looks like:

<virtualhost *:5000="">


OIDCClaimPrefix "OIDC-"

OIDCResponseType "code" OIDCScope "openid email profile" OIDCProviderMetadataURL http://<keycloak_host>:8080/auth/realms/master/.well-known/openid-configuration OIDCClientID <client_id> OIDCClientSecret <client_secret> OIDCCryptoPassphrase openstack OIDCRedirectURI http://<openstack_host>:5000/v3/OS-FEDERATION/identity_providers/keycloak/protocols/oidc/auth/redirect

<locationmatch v3="" os-federation="" identity_providers="" .*?="" protocols="" oidc="" auth=""> AuthType openid-connect Require valid-user LogLevel debug </locationmatch>


On the keycloak side we have a client id with the redirect url matching what is in the apache site file exactly.

We issue a cURL request and then we hit the redirect endpoint from the response.

curl -X GET -D - http://<openstack_host>:5000/v3/OS-FEDERATION/identity_providers/keycloak/protocols/oidc/auth

Is there something off in our configuration or does Keystone (Kilo) just not support authorization code flow?