Friday, 2022-01-28

opendevreviewHiromu Asahina proposed openstack/keystone-specs master: OAuth2.0 Client Credentials Grant Flow Support
*** dasm|off is now known as dasm13:30
*** dasm is now known as dasm|rover13:31
MuranHey. I ran into a bug in communication between octavia and keystone. I'm not sure where to file it or how we want to fix it as I don't have all the background. I have however tracked down where in code that it happens. It occurs if you try to add a terminated_https listener when you are authenticated using application credentials. What happens is that Octavia sends a token request to keystone with methods: token and14:06
Muran set. In keystone, it dynamically adds application_credential as a method, then fails on a 500 error when trying to read application_credential['id'] from the payload.  For me it makes little sense that keystone after it itself added application_credential to methods enforces that you use it. If the client, octavia in this case asks for "token" method. Shouldn't it be allowed to do so?  14:06
MuranOctavia creates payload here:
MuranAnd here is where keystone adds application_credential to method and then failing when trying to read
MuranI guess the main question is if it's ok for a client to authenticate using token ID that was created from an application secret. If that is the case, keystone code needs to be changed a bit. It's fine to add application_secret as method, but it should only us it if it actually receives said credentials in the payload.14:17
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string
opendevreviewMerged openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string
*** dasm|rover is now known as dasm|off21:47

Generated by 2.17.3 by Marius Gedminas - find it at!