Test with Zitadel

[reqa]

As followup of the SIG IAM Meeting with Zitadel we should test if Zitadel works for us in the testbed. The purpose is to check it against the criteria specified via #254.

Definition of Done:

• [x] We have a Zitadel instance running in the testbed
• [ ] We have a written howto for setting up Zitadel in the testbed
• [ ] We gathered and wrote down insight, what needs to be done to Keystone (wsgi-keystone.conf)
• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[mffap]

as indicated here: https://github.com/SovereignCloudStack/issues/issues/221#issuecomment-1449804249 you probably soon can test device auth grant as well.

[reqa]

At the time of writing it lacks support for adding custom claims. In the standard OpenStack OIDC federation custom claims are used
to communicate e.g. the openstack-default-project. This lacking feature makes workarounds necessary in the openstack oidc federation mapping. Zitadel offers a generic urn:zitadel:iam:user:metadata, but that may be hard to handle with the limited technical means that the static openstack mapping supports. See https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html

[mffap]

At the time of writing it lacks support for adding custom claims. In the standard OpenStack OIDC federation custom claims are used to communicate e.g. the openstack-default-project. This lacking feature makes workarounds necessary in the openstack oidc federation mapping. Zitadel offers a generic urn:zitadel:iam:user:metadata, but that may be hard to handle with the limited technical means that the static openstack mapping supports. See https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html

@reqa we are very close to release https://github.com/zitadel/zitadel/issues/3997 With that you can generate custom claims (eg, from metadata or roles)

[mffap]

At the time of writing it lacks support for adding custom claims. In the standard OpenStack OIDC federation custom claims are used to communicate e.g. the openstack-default-project. This lacking feature makes workarounds necessary in the openstack oidc federation mapping. Zitadel offers a generic urn:zitadel:iam:user:metadata, but that may be hard to handle with the limited technical means that the static openstack mapping supports. See https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html

@reqa we are very close to release zitadel/zitadel#3997 With that you can generate custom claims (eg, from metadata or roles)

Actually you can see an example of setting custom claims already here https://github.com/zitadel/actions/blob/main/examples/custom_roles.js

[JuanPTM]

At the time of writing it lacks support for adding custom claims. In the standard OpenStack OIDC federation custom claims are used to communicate e.g. the openstack-default-project. This lacking feature makes workarounds necessary in the openstack oidc federation mapping. Zitadel offers a generic urn:zitadel:iam:user:metadata, but that may be hard to handle with the limited technical means that the static openstack mapping supports. See https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html

@reqa we are very close to release zitadel/zitadel#3997 With that you can generate custom claims (eg, from metadata or roles)

Actually you can see an example of setting custom claims already here https://github.com/zitadel/actions/blob/main/examples/custom_roles.js

~At the moment we are using the docker image ( Image_id: 6c75bbcf8cab ), where should we put something similar to test the behavior sending the correct claim ?~

[mffap]

~At the moment we are using the docker image ( Image_id: 6c75bbcf8cab ), where should we put something similar to test the behavior sending the correct claim ?~

The release is coming with v2.22.0. That should land in the next days, currently there are release candidates for testing: https://github.com/zitadel/zitadel/releases

[fkr]

Still waiting for Device Authorization Grant Flows and Custom Claims to be available.

[mffap]

Still waiting for Device Authorization Grant Flows and Custom Claims to be available.

v2.22.2 is released already. So custom claims and with role context can be tested

I think for Device Auth Grant we mentioned that for now this could also be tested with PAT and then use Device Auth Grant when ready. The latter will land with one of the next sprints in zitadel.

[mffap]

Still waiting for Device Authorization Grant Flows and Custom Claims to be available.

Device Auth Grant is now included in zitadel https://github.com/zitadel/zitadel/releases/tag/v2.26.0

Keen to know how it goes.