Closing this as invalid - setting authorization_ttl for the IdP in Keystone (or default_authorization_ttl in config) allows the appcreds to be created and work for this amount of time after the federated user has logged in.
May be not ideal for some applications, but clearly security considerations win here (user changed properties in 'upstream' IdP that would remove the roles passed to it thru mapping, or deleted from 'upstream' IdP altogether). ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1978833 Title: can not create application credential for federated user when mapping uses group Status in OpenStack Identity (keystone): Invalid Bug description: Tested on devstack/master + SAML2 and victoria + OpenIDConnect. Setup on devstack + SAML: - install devstack as per keystone-dsvm-py3-functional-federation-ubuntu-focal job - run the test keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2FederatedExternalAuthentication.test_request_scoped_token to ensure it works as expected - get the scoped token for the federated user - (fwiw I failed to use openstackclient with v3samlpassword, so I resorted to some cheating) - commented out the cleanups in that test, and logged the scoped token, used it then with the openstackclient try to create application credentials with that token: openstack --debug application credential create test fails with not finding roles: Invalid application credential: Could not find role assignment with role: 71a233e8d3f54a08a94ef260a39ce870, user or group: 055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91, project, domain, or system: df0d47600acd46428321899a65e47157. (HTTP 400) (Request-ID: req-429314bf-3060-4e94-ab78-69a10bdbd660) even while roles are there per debug output of access info: {"token": {"methods": ["token", "mapped"], "user": {"domain": {"id": "c4235afadccd49ec8e2ea0bb013f930c", "name": "c4235afadccd49ec8e2ea0bb013f930c"}, "id": "055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91", "name": "morty", "OS-FEDERATION": {"groups": [{"id": "1660ce0da8694cc99d9ad0ccba6102e6"}], "identity_provider": {"id": "samltest"}, "protocol": {"id": "mapped"}}}, "audit_ids": ["8yA8ngZRRZaYj99VfsLDkg"], "expires_at": "2022-06-15T14:48:14.000000Z", "issued_at": "2022-06-15T13:48:14.000000Z", "project": {"domain": {"id": "8f611bd7fca24b43b837e46205115279", "name": "federated_domain"}, "id": "df0d47600acd46428321899a65e47157", "name": "federated_project"}, "is_domain": false, "roles": [{"id": "71a233e8d3f54a08a94ef260a39ce870", "name": "member", "domain_id": null, "description": null, "options": {"immutable": true}}, {"id": "fd6a812d75d340d2b46c04681ca69774", "name": "reader", "domain_id": null, "description": null, "options": {"immutable": true}}], "catalog": [{"endpoints": [{"id": "1c0b1188496e4b4a991ef655dade6919", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.100.58/identity", "region": "RegionOne"}], "id": "d859f6754830449c997fd10cc21ace7c", "type": "identity", "name": "keystone"}]}} In the keystone there's the following trace: https://paste.openstack.org/show/814941/ Note that when using a mapping with concrete role assignments (via auto-provision of projects and explicitly assigning roles to them) everything works and app creds can be created as expected. Also a piece of a puzzle is that `openstack group contains user` does not show this user "055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91" belonging to the group "1660ce0da8694cc99d9ad0ccba6102e6", and `openstack role assignment list --user ... --effective` does not show any assignments too (while it does for a usual, non-federated user that only gets its roles thru a group membership). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1978833/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp