Keystone should propagate redirect exceptions from auth plugins
Bug #1854041 reported by
Alvaro Lopez
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
In Progress
|
Undecided
|
Alvaro Lopez | ||
Bug Description
When a developer is implementing an Authentication plugin [1] they can only return None and setup the relevant information in the auth context or raise an Unauthorized exception. However, in some cases (like an OpenID Connect plugin) it is needed to perform a redirect to the provider to complete the flow. IIRC this was possible in the past (before moving to Flask) by raising an exception with the proper HTTP code set, but with the current implementation this is impossible.
[1]: https:/
Revision history for this message
| Colleen Murphy (krinkle) wrote | #1 |
| Changed in keystone: | |
| status: | New → Incomplete |
Revision history for this message
| Alvaro Lopez (aloga) wrote | #2 |
Revision history for this message
| Colleen Murphy (krinkle) wrote | #3 |
Revision history for this message
| Alvaro Lopez (aloga) wrote | #4 |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in keystone: | |
| status: | Incomplete → Expired |
| Changed in keystone: | |
| status: | Expired → Confirmed |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #6 |
| Changed in keystone: | |
| assignee: | nobody → Alvaro Lopez (aloga) |
| status: | Confirmed → In Progress |
Revision history for this message
| Alvaro Lopez (aloga) wrote | #7 |
To post a comment you must log in.
It would be great to get more information, like the link to the code for your auth plugin so that someone can reproduce it, and specifics on which versions of keystone this used to work for. If this behavior changed when Flask was introduced, that's definitely a regression we should fix.