Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluate use of oauth2.0 device authorization grant for openstack client authentication #221

Closed
4 tasks done
fkr opened this issue Nov 24, 2022 · 5 comments
Closed
4 tasks done

Evaluate use of oauth2.0 device authorization grant for openstack client authentication #221

fkr opened this issue Nov 24, 2022 · 5 comments
Assignees
@reqa @JuanPTM
Labels
IAM Issues or pull requests relevant for SIG IAM
Milestone
R4 (v5.0.0)

Comments

@fkr
Copy link
Member

fkr commented Nov 24, 2022
edited

Hypothesis: that device authorization grant is the way to go in order to properly federate auth of an openstack client

As a SCS Developer, I want to evaluate and benchmark this hypothesis.
This includes:

  • Implement something in openstack/keystoneauth code
  • Test it against keycloak/keystone in the testbed

Definition of Done:

  • We know wether device authorization grant will solve our problem
  • There exists a sketch on how to properly implement the targeted solution
  • All acceptance criteria are met
  • Documentation has been updated
@fkr fkr added the IAM Issues or pull requests relevant for SIG IAM label Nov 24, 2022
@fkr fkr added this to the R4 (v5.0.0) milestone Nov 24, 2022
@fkr fkr added the needs refinement User stories that need to be refined for further progress label Nov 24, 2022
@fkr fkr mentioned this issue Nov 24, 2022
Closed
15 tasks
@reqa
Copy link

reqa commented Nov 25, 2022

https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow#how-it-works

@reqa
Copy link

reqa commented Nov 25, 2022

Zitadel currently doesn't yet support it, but that shouldn't block us, as 1. Keycloak apparently already does, so we have a target to test against and 2. Zitadel is open for doing this at some point: zitadel/oidc#141

@fforootd
Copy link

Zitadel currently doesn't yet support it, but that shouldn't block us, as 1. Keycloak apparently already does, so we have a target to test against and 2. Zitadel is open for doing this at some point: zitadel/oidc#141

👍 Just let us know if this important to your project. We would be happy to assist.

@fkr fkr removed the needs refinement User stories that need to be refined for further progress label Nov 28, 2022
@fkr fkr assigned reqa and JuanPTM Nov 28, 2022
@reqa
Copy link

reqa commented Dec 6, 2022

I've implemented support for the "OAuth 2.0 Device Authorization Grant" flow here. Next steps would be:

  • Try to upstream the patch (simply create a Pull request or be more proactive?)
  • Check in Testbed if Keycloak Identity Brokering to a remote IdP (or rather OIDC OP) actually works with this

Side note: Apparently with this flow Keycloak does not (yet?) support the Keycloak specific mechanism of explicit selection of a remote IdP via ?kc_idp_hint URL parameter, see https://keycloak.discourse.group/t/kc-idp-hint-and-oauth-2-0-device-authorization-grant/16848 .

@fkr fkr closed this as completed Dec 8, 2022
@mffap
Copy link

mffap commented Mar 1, 2023

Zitadel currently doesn't yet support it, but that shouldn't block us, as 1. Keycloak apparently already does, so we have a target to test against and 2. Zitadel is open for doing this at some point: zitadel/oidc#141

Looks like the device authorization grant has been merged into our oidc library. So probably will land very soon in zitadel.

@mffap mffap mentioned this issue Mar 1, 2023
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reqa reqa

@JuanPTM JuanPTM

Labels
IAM Issues or pull requests relevant for SIG IAM
Projects
Sovereign Cloud Stack
Status: Done
Milestone
R4 (v5.0.0)
Development

No branches or pull requests
5 participants
@fkr @mffap @reqa @JuanPTM @fforootd