Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

8. Workload Federation

Date: 2025-11-03

Status

Accepted

Context

It is often desired to access the OpenStack cloud from workloads (i.e. GitHub workflow, Zuul job, etc). Usually such services provide a JWT issued by the platform which the service provider can trust. This is very similar (and technically relates) to the OIDC standard.

In the JWT flow the “user” is exchanging a JWT token issued by the trusted IdP for a Keystone token. This authentication response includes a token and a service catalog to provide a known OpenStack usage scenario.

Decision

OIDC mappings MUST specify a type which is oidc or jwt to specify the flow they define. A jwt type mapping can be only used in the JWT flow.

The new authentication API includes the IdP ID. The authentication request does not support the Json request body and uses a generic authorization: bearer <jwt> header and openstack-mapping-name: <mapping_name> to request the information. Depending on the mapping configuration the desired authorization scope is returned. The flow does not support explicitly requesting the scope beyond what is described by the mapping.

Consequences

  • A new API to exchange JWT token for the Keystone token is added.

  • JWT auth must provide the mapping name.

  • The mapping SHOULD point to some for of the technical user.