| opendevreview | OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.opendev.org/c/openstack/keystone/+/924460 | 02:59 |
|---|---|---|
| opendevreview | Artem Goncharov proposed openstack/keystone master: Replace deprecated in py312 datetime usages https://review.opendev.org/c/openstack/keystone/+/925008 | 07:10 |
| tafkamax | Hi I have a question regarding OIDC and keystone and skyline | 09:22 |
| tafkamax | ####################... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/WshNuWVlUdhFTdQcapFfPnud>) | 09:22 |
| tafkamax | This is our config | 09:22 |
| tafkamax | Now the problem is that during initial login from skyline the UI shows list of OIDC providers. And the link there contains a target_link_uri that points to an internal endpoint, not the public one. | 09:23 |
| tafkamax | How can this be resolved? | 09:24 |
| tafkamax | https://github.com/openstack/keystone-specs/blob/master/specs/keystone/2024.1/federated-identity-mapping-support-project-json-definition.rst | 10:26 |
| tafkamax | Has somebody used this in conjunction with keycloak? | 10:26 |
| tafkamax | E.g. keycloak creates the JSON that is requested by the keystone "OIDC-openstack-projects-client-mapper" | 10:27 |
| tafkamax | Do I need to create Custom Protocol Mapper in Keycloak for this? | 10:31 |
| gtema | Taavi Ansper: no clue of skyline, but using keycloak with keystone requires definitely protocol mapper | 10:42 |
| gtema | the spec you referred is only a spec with no implementation so far | 10:42 |
| gtema | better is to use it in combination with https://github.com/vexxhost/keystone-keycloak-backend | 10:42 |
| tafkamax | <gtema> "the spec you referred is only..." <- ah okay, my bad... | 10:51 |
| tafkamax | I am just thinking of ways how to add users who match multiple groups to all of those groups. | 10:52 |
| tafkamax | * I am just thinking of ways how to add users who match multiple groups to all of those projects these groups should see | 10:52 |
| tafkamax | There is currently any_one_of which is an OR statement, but I am wishing there is an AND statement all_of. | 10:53 |
| tafkamax | Currently what is happening is that users are in two different groups and when then they log in they get put into one of the two projects, but not into both of them | 10:54 |
| tafkamax | My mapping looks like this:... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/tuqJLmJLwLooiEuJjkdOHidi>) | 10:56 |
| tafkamax | Pretty much for each department we have a separate project, but some members have multiple of these OIDC-group-memberships as they work for multiple departments. Currently only one of the projects is assigned for them. | 10:57 |
| gtema | The referred project mapping is of no help. Using backend driver helps you to achieve perfect logical group mapping | 11:24 |
| tafkamax | Huh okay.. | 11:31 |
| tafkamax | So I would need to create my own backend driver for OIDC/Keycloak? | 11:35 |
| gtema | you just take the one from VexxHost (I linked above) | 11:43 |
| opendevreview | Jimmy McCrory proposed openstack/ldappool master: Retry or failover when using TLS https://review.opendev.org/c/openstack/ldappool/+/882448 | 14:04 |
| opendevreview | Jimmy McCrory proposed openstack/ldappool master: Retry or failover when using TLS https://review.opendev.org/c/openstack/ldappool/+/882448 | 16:29 |
| *** ministry is now known as __ministry | 18:27 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!