Does openunison support the resource owner password credential (ROPC) auth grant ?

[OjasviAgarwal]

I want to be able to get the id_token by passing the username and password to the /token rest api endpoint of OpenUnison for service accounts. Is this grant flow supported in OpenUnison ? If so, do we have any documentation around the same ? I search online and didn't find anything.

[mlbiam]

I want to be able to get the id_token by passing the username and password to the /token rest api endpoint of OpenUnison for service accounts. Is this grant flow supported in OpenUnison

Not directly, no. Since this would only really work with LDAP/AD we decided not to implement it. That said, getting a "service account" for use in CI is a pretty common use case with OpenUnison. What's your backend identity store? Is it a remote IdP like Okta or LDAP/AD?

I've got a template that we use to get the id_token for use with your API server, it just depends on what you're using for identity.

[OjasviAgarwal]

In an ideal world, I would want to use the AzureAD idP which would have regular users, groups as well as service accounts. We are fine with the regular users using the UI driven flow since OpenUnison does the group id to group name mapping beneficial for RBAC. We want the API driven flow (non-UI) for CI/CD and client code where credentials can be passed and id_token can be fetched remotely. We are willing to compromise on creating the service accounts and managing them on our own in OpenUnison instead of AzureAD (if OpenUnison supports that, Keycloak does it but doesn't do the id-> group mapping) and use the ROPC flow or your template to get the id_token.

[mlbiam]

In an ideal world, I would want to use the AzureAD idP

There are two ways you could do this:

1. Simulate a login via the web - Here's an example of this with Okta, using AzureAD/Entra would likely be similar - https://www.tremolosecurity.com/post/pipelines-and-kubernetes-authentication
2. Use the Graph API to validate the service account credentials - I think we can use the credentials grant to validate credentials and load the user's information. let me take a look.

[mlbiam]

closing due to inactivity