Plugin Options

Usage

Using plugins via CLI

Plugins can be configured via CLI options, using argparse’s ArgumentParser. This is commonly used to produce client tooling that communicates with OpenStack APIs and therefore needs to allow authentication. For example, openstackclient allows configuration using CLI options.

When using auth plugins via CLI you can specify parameters via CLI options or via environment configuration, with CLI options superseding environment configuration. CLI options are specified with the pattern --os- and the parameter name. For example, to use the password plugin via CLI options you can specify:

openstack --os-auth-type password \
          --os-auth-url http://keystone.example.com:5000/ \
          --os-username myuser \
          --os-password mypassword \
          --os-project-name myproject \
          --os-default-domain-name mydomain \
          operation

Environment variables are specified using the pattern OS_ followed by the uppercase parameter name replacing - with _. Using the password example again:

export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://keystone.example.com:5000/
export OS_USERNAME=myuser
export OS_PASSWORD=mypassword
export OS_PROJECT_NAME=myproject
export OS_DEFAULT_DOMAIN_NAME=mydomain

Using plugins via clouds.yaml

Plugins can be configured via clouds.yaml files, which are supported by openstacksdk. When using a clouds.yaml, you specify the plugin name as auth_type within the cloud entry and then specify all plugin options within the auth key of the cloud entry. For example, to use the password plugin for a cloud entry mycloud in a clouds.yaml file you can specify:

clouds:
  mycloud:
    auth_type: password
    auth:
      auth_url: http://keystone.example.com:5000/
      username: myuser
      password: mypassword
      project_name: myproject
      default_domain_name: mydomain

Using plugins via config file

Plugins can be configured using INI-style configuration file, using oslo.config. This is commonly used to allow OpenStack service to talk to each other though it can be used for any service that wishes to authenticate against Keystone and uses oslo.config. For example, this configuration style is used to allow the Compute service (Nova) to talk to the Networking service (Neutron), Block Storage service (Cinder), and others.

When using the plugins via config file you define the plugin name as auth_type. The options of the plugin are then specified while replacing - with _ to be valid in configuration.

For example to use the password plugin in a config file you would specify:

[section]
auth_type = password
auth_url = http://keystone.example.com:5000/
username = myuser
password = mypassword
project_name = myproject
default_domain_name = mydomain

Using plugins via other mechanisms

Beyond the three configuration mechanisms described here, different services may implement loaders in their own way and you should consult their relevant documentation. However, the same auth options will always be available.

Built-in Plugins

This is a listing of all included plugins and the options that they accept. Plugins are listed alphabetically and not in any order of priority.

admin_token

Authenticate with an existing token and a known endpoint.

This plugin is primarily useful for development or for use with identity service ADMIN tokens. Because this token is used directly there is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect use this scope information.

Because there is no service catalog the endpoint that is supplied with initialization is used for all operations performed with this plugin so must be the full base URL to an actual service.


endpoint

The endpoint that will always be used

CLI options

--os-endpoint, --os-url

Environment variables

OS_ENDPOINT, OS_URL

token

The token that will always be used

CLI options

--os-token

Environment variables

OS_TOKEN

http_basic

Use HTTP Basic authentication to perform requests.

This can be used to instantiate clients for services deployed in standalone mode.

There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.


endpoint

The endpoint that will always be used

CLI options

--os-endpoint

Environment variables

OS_ENDPOINT

password

User’s password

CLI options

--os-password

Environment variables

OS_PASSWORD

username

Username

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

none

Use no tokens to perform requests.

This can be used to instantiate clients for services deployed in noauth/standalone mode.

There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.


endpoint

The endpoint that will always be used

CLI options

--os-endpoint

Environment variables

OS_ENDPOINT

password

Authenticate with a username and password.

Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.

As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

default-domain-id

Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

CLI options

--os-default-domain-id

Environment variables

OS_DEFAULT_DOMAIN_ID

default-domain-name

Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

CLI options

--os-default-domain-name

Environment variables

OS_DEFAULT_DOMAIN_NAME

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

password

User’s password

CLI options

--os-password

Environment variables

OS_PASSWORD

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id, --os-tenant-id

Environment variables

OS_PROJECT_ID, OS_TENANT_ID

project-name

Project name to scope to

CLI options

--os-project-name, --os-tenant-name

Environment variables

OS_PROJECT_NAME, OS_TENANT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

user-domain-id

User’s domain id

CLI options

--os-user-domain-id

Environment variables

OS_USER_DOMAIN_ID

user-domain-name

User’s domain name

CLI options

--os-user-domain-name

Environment variables

OS_USER_DOMAIN_NAME

user-id

User id

CLI options

--os-user-id

Environment variables

OS_USER_ID

username

Username

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

token

Given an existing token rescope it to another target.

Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.

As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

default-domain-id

Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

CLI options

--os-default-domain-id

Environment variables

OS_DEFAULT_DOMAIN_ID

default-domain-name

Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

CLI options

--os-default-domain-name

Environment variables

OS_DEFAULT_DOMAIN_NAME

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id, --os-tenant-id

Environment variables

OS_PROJECT_ID, OS_TENANT_ID

project-name

Project name to scope to

CLI options

--os-project-name, --os-tenant-name

Environment variables

OS_PROJECT_NAME, OS_TENANT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

token

Token to authenticate with

CLI options

--os-token

Environment variables

OS_TOKEN

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v2password

Authenticate with a username and password.

Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

password

Password to use

CLI options

--os-password

Environment variables

OS_PASSWORD

tenant-id

Tenant ID

CLI options

--os-tenant-id

Environment variables

OS_TENANT_ID

tenant-name

Tenant Name

CLI options

--os-tenant-name

Environment variables

OS_TENANT_NAME

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

user-id

User ID to login with

CLI options

--os-user-id

Environment variables

OS_USER_ID

username

Username to login with

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

v2token

Given an existing token rescope it to another target.

Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

tenant-id

Tenant ID

CLI options

--os-tenant-id

Environment variables

OS_TENANT_ID

tenant-name

Tenant Name

CLI options

--os-tenant-name

Environment variables

OS_TENANT_NAME

token

Token

CLI options

--os-token

Environment variables

OS_TOKEN

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3adfspassword

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

identity-provider-url

An Identity Provider URL, where the SAML authentication request will be sent. (mandatory)

CLI options

--os-identity-provider-url

Environment variables

OS_IDENTITY_PROVIDER_URL

password

Password (mandatory)

CLI options

--os-password

Environment variables

OS_PASSWORD

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

service-provider-endpoint

Service Provider’s Endpoint (mandatory)

CLI options

--os-service-provider-endpoint

Environment variables

OS_SERVICE_PROVIDER_ENDPOINT

service-provider-entity-id

Service Provider’s SAML Entity ID (mandatory)

CLI options

--os-service-provider-entity-id

Environment variables

OS_SERVICE_PROVIDER_ENTITY_ID

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

username

Username (mandatory)

CLI options

--os-username

Environment variables

OS_USERNAME

v3applicationcredential

Authenticate with an application credential.

Authenticate to the identity service using the provided application credential secret and ID or name. If a name is used, you must also provide a username and user domain to assist in lookup.


application_credential_id

Application credential ID

CLI options

--os-application_credential_id

Environment variables

OS_APPLICATION_CREDENTIAL_ID

application_credential_name

Application credential name

CLI options

--os-application_credential_name

Environment variables

OS_APPLICATION_CREDENTIAL_NAME

application_credential_secret

Application credential auth secret (mandatory)

CLI options

--os-application_credential_secret

Environment variables

OS_APPLICATION_CREDENTIAL_SECRET

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

user-domain-id

User’s domain ID

CLI options

--os-user-domain-id

Environment variables

OS_USER_DOMAIN_ID

user-domain-name

User’s domain name

CLI options

--os-user-domain-name

Environment variables

OS_USER_DOMAIN_NAME

user-id

User’s user ID

CLI options

--os-user-id

Environment variables

OS_USER_ID

username

User’s username

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

v3fedkerb

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

mutual-auth

Configures Kerberos Mutual Authentication

CLI options

--os-mutual-auth

Environment variables

OS_MUTUAL_AUTH

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3kerberos

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

mutual-auth

Configures Kerberos Mutual Authentication

CLI options

--os-mutual-auth

Environment variables

OS_MUTUAL_AUTH

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3multifactor

Authenticate using multiple factors.

Authenticate to the identity service using a combination of factors, such as username/password and a TOTP code.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

auth_methods

Methods to authenticate with. (mandatory)

CLI options

--os-auth_methods

Environment variables

OS_AUTH_METHODS

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oauth1

access-key

OAuth Access Key (mandatory)

CLI options

--os-access-key

Environment variables

OS_ACCESS_KEY

access-secret

OAuth Access Secret (mandatory)

CLI options

--os-access-secret

Environment variables

OS_ACCESS_SECRET

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

consumer-key

OAuth Consumer ID/Key (mandatory)

CLI options

--os-consumer-key

Environment variables

OS_CONSUMER_KEY

consumer-secret

OAuth Consumer Secret (mandatory)

CLI options

--os-consumer-secret

Environment variables

OS_CONSUMER_SECRET

v3oauth2clientcredential

Authenticate with an OAuth2.0 client credential.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

oauth2_client_id

Client id for OAuth2.0 (mandatory)

CLI options

--os-oauth2_client_id

Environment variables

OS_OAUTH2_CLIENT_ID

oauth2_client_secret

Client secret for OAuth2.0 (mandatory)

CLI options

--os-oauth2_client_secret

Environment variables

OS_OAUTH2_CLIENT_SECRET

oauth2_endpoint

Endpoint for OAuth2.0 (mandatory)

CLI options

--os-oauth2_endpoint

Environment variables

OS_OAUTH2_ENDPOINT

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oauth2mtlsclientcredential

Authenticate with an OAuth2.0 mTLS client credential.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

oauth2-client-id

Client credential ID for OAuth2.0 Mutual-TLS Authorization (mandatory)

CLI options

--os-oauth2-client-id

Environment variables

OS_OAUTH2_CLIENT_ID

oauth2-endpoint

Endpoint for OAuth2.0 Mutual-TLS Authorization (mandatory)

CLI options

--os-oauth2-endpoint

Environment variables

OS_OAUTH2_ENDPOINT

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oidcaccesstoken

Authenticate with the OIDC Access Token flow.


access-token

OAuth 2.0 Access Token (mandatory)

CLI options

--os-access-token

Environment variables

OS_ACCESS_TOKEN

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oidcauthcode

Authenticate with the OIDC Authorization Code flow.


access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

CLI options

--os-access-token-endpoint

Environment variables

OS_ACCESS_TOKEN_ENDPOINT

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

CLI options

--os-access-token-type

Environment variables

OS_ACCESS_TOKEN_TYPE

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

client-id

OAuth 2.0 Client ID

CLI options

--os-client-id

Environment variables

OS_CLIENT_ID

client-secret

OAuth 2.0 Client Secret

CLI options

--os-client-secret

Environment variables

OS_CLIENT_SECRET

code

OAuth 2.0 Authorization Code (mandatory)

CLI options

--os-code, --os-authorization-code

Environment variables

OS_CODE, OS_AUTHORIZATION_CODE

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

CLI options

--os-discovery-endpoint

Environment variables

OS_DISCOVERY_ENDPOINT

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

CLI options

--os-openid-scope

Environment variables

OS_OPENID_SCOPE

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

redirect-uri

OpenID Connect Redirect URL

CLI options

--os-redirect-uri

Environment variables

OS_REDIRECT_URI

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oidcclientcredentials

Authenticate with the OIDC Client Credentials flow.


access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

CLI options

--os-access-token-endpoint

Environment variables

OS_ACCESS_TOKEN_ENDPOINT

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

CLI options

--os-access-token-type

Environment variables

OS_ACCESS_TOKEN_TYPE

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

client-id

OAuth 2.0 Client ID

CLI options

--os-client-id

Environment variables

OS_CLIENT_ID

client-secret

OAuth 2.0 Client Secret

CLI options

--os-client-secret

Environment variables

OS_CLIENT_SECRET

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

CLI options

--os-discovery-endpoint

Environment variables

OS_DISCOVERY_ENDPOINT

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

CLI options

--os-openid-scope

Environment variables

OS_OPENID_SCOPE

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oidcdeviceauthz

Authenticate with the OAuth 2.0 Device Authorization flow.


access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

CLI options

--os-access-token-endpoint

Environment variables

OS_ACCESS_TOKEN_ENDPOINT

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

client-id

OAuth 2.0 Client ID

CLI options

--os-client-id

Environment variables

OS_CLIENT_ID

client-secret

OAuth 2.0 Client Secret

CLI options

--os-client-secret

Environment variables

OS_CLIENT_SECRET

code-challenge-method

PKCE Challenge Method (RFC 7636)

CLI options

--os-code-challenge-method

Environment variables

OS_CODE_CHALLENGE_METHOD

device-authorization-endpoint

OAuth 2.0 Device Authorization Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

CLI options

--os-device-authorization-endpoint

Environment variables

OS_DEVICE_AUTHORIZATION_ENDPOINT

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

CLI options

--os-discovery-endpoint

Environment variables

OS_DISCOVERY_ENDPOINT

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

CLI options

--os-openid-scope

Environment variables

OS_OPENID_SCOPE

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3oidcpassword

Authenticate with the OIDC Resource Owner Password Credentials flow.


access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

CLI options

--os-access-token-endpoint

Environment variables

OS_ACCESS_TOKEN_ENDPOINT

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

CLI options

--os-access-token-type

Environment variables

OS_ACCESS_TOKEN_TYPE

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

client-id

OAuth 2.0 Client ID

CLI options

--os-client-id

Environment variables

OS_CLIENT_ID

client-secret

OAuth 2.0 Client Secret

CLI options

--os-client-secret

Environment variables

OS_CLIENT_SECRET

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

CLI options

--os-discovery-endpoint

Environment variables

OS_DISCOVERY_ENDPOINT

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

idp_otp_key

A key to be used in the Identity Provider access token endpoint to pass the OTP value. E.g. totp

CLI options

--os-idp_otp_key

Environment variables

OS_IDP_OTP_KEY

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

CLI options

--os-openid-scope

Environment variables

OS_OPENID_SCOPE

password

Password (mandatory)

CLI options

--os-password

Environment variables

OS_PASSWORD

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

username

Username (mandatory)

CLI options

--os-username

Environment variables

OS_USERNAME

v3password

Authenticate with a username and password.

Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

password

User’s password

CLI options

--os-password

Environment variables

OS_PASSWORD

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

user-domain-id

User’s domain ID

CLI options

--os-user-domain-id

Environment variables

OS_USER_DOMAIN_ID

user-domain-name

User’s domain name

CLI options

--os-user-domain-name

Environment variables

OS_USER_DOMAIN_NAME

user-id

User’s user ID

CLI options

--os-user-id

Environment variables

OS_USER_ID

username

User’s username

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

v3samlpassword

auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

identity-provider

Identity Provider’s name (mandatory)

CLI options

--os-identity-provider

Environment variables

OS_IDENTITY_PROVIDER

identity-provider-url

An Identity Provider URL, where the SAML2 authentication request will be sent. (mandatory)

CLI options

--os-identity-provider-url

Environment variables

OS_IDENTITY_PROVIDER_URL

password

Password (mandatory)

CLI options

--os-password

Environment variables

OS_PASSWORD

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

protocol

Protocol for federated plugin (mandatory)

CLI options

--os-protocol

Environment variables

OS_PROTOCOL

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

username

Username (mandatory)

CLI options

--os-username

Environment variables

OS_USERNAME

v3token

Given an existing token rescope it to another target.

Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

token

Token to authenticate with

CLI options

--os-token

Environment variables

OS_TOKEN

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

v3tokenlessauth

Authenticate without a token, using an X.509 certificate.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

v3totp

Authenticate with a Time-based One-Time Password.

Authenticate to the identity service using a time-based one-time password. This is typically used in combination with another plugin as part of a multi-factor configuration.


auth-url

Authentication URL (mandatory)

CLI options

--os-auth-url

Environment variables

OS_AUTH_URL

domain-id

Domain ID to scope to

CLI options

--os-domain-id

Environment variables

OS_DOMAIN_ID

domain-name

Domain name to scope to

CLI options

--os-domain-name

Environment variables

OS_DOMAIN_NAME

passcode

User’s TOTP passcode

CLI options

--os-passcode

Environment variables

OS_PASSCODE

project-domain-id

Domain ID containing project

CLI options

--os-project-domain-id

Environment variables

OS_PROJECT_DOMAIN_ID

project-domain-name

Domain name containing project

CLI options

--os-project-domain-name

Environment variables

OS_PROJECT_DOMAIN_NAME

project-id

Project ID to scope to

CLI options

--os-project-id

Environment variables

OS_PROJECT_ID

project-name

Project name to scope to

CLI options

--os-project-name

Environment variables

OS_PROJECT_NAME

system-scope

Scope for system operations

CLI options

--os-system-scope

Environment variables

OS_SYSTEM_SCOPE

trust-id

ID of the trust to use as a trustee use

CLI options

--os-trust-id

Environment variables

OS_TRUST_ID

user-domain-id

User’s domain ID

CLI options

--os-user-domain-id

Environment variables

OS_USER_DOMAIN_ID

user-domain-name

User’s domain name

CLI options

--os-user-domain-name

Environment variables

OS_USER_DOMAIN_NAME

user-id

User’s user ID

CLI options

--os-user-id

Environment variables

OS_USER_ID

username

User’s username

CLI options

--os-username, --os-user-name

Environment variables

OS_USERNAME, OS_USER_NAME

Additional Plugins

keystoneauth is designed to be pluggable and Python packages exist that provide additional plugins.