Skip to content

feat(keystone): add OAuth 2.0 authentication options #1496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cardoe wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(keystone): add OAuth 2.0 authentication options #1496

cardoe wants to merge 2 commits into from

Conversation

@cardoe
Copy link
Contributor

@cardoe cardoe commented Dec 10, 2025

The device authorization and the client credentials flows are OAuth 2.0 flows instead of OIDC so we need to be able to validate the token submitted against the endpoint so we need to also read the metadata for the OAuth 2.0 paths of mod_auth_openidc. Add another authentication endpoint into apache for Keystone so that we can route the authentication request to the correct connector inside of Dex to successfully complete the authentication.

@cardoe
feat(keystone): add OAuth 2.0 authentication options
150dda5 
The device authorization and the client credentials flows are OAuth 2.0
flows instead of OIDC so we need to be able to validate the token
submitted against the endpoint so we need to also read the metadata for
the OAuth 2.0 paths of mod_auth_openidc. Add another authentication
endpoint into apache for Keystone so that we can route the
authentication request to the correct connector inside of Dex to
successfully complete the authentication.
@cardoe cardoe requested a review from a team December 10, 2025 19:33
@cardoe
feat(dex): add additional env vars to be loaded
1c67aef 
Add additional env vars to be loaded to make the naming clearer that
these are for connectors and not for regular client authentication.
skrobul
skrobul approved these changes Dec 11, 2025
View reviewed changes
components/keystone/values.yaml
<Location /v3/OS-FEDERATION/identity_providers/sso/protocols/mapped/auth>
Require valid-user
AuthType oauth20
# TODO: variablize this better
Copy link
Collaborator

@skrobul skrobul Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like the helm templating is supported here, so maybe just make it a configurable value with a sensible default?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skrobul skrobul skrobul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cardoe @skrobul