openstack-k8s-operators · xek · Mar 31, 2026
diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt
@@ -23,6 +23,7 @@ UTF
 ZipFile
 aaabbcc
 abcdefghij
+accesstoken
 addr
 afuscoar
 alertmanager
@@ -42,6 +43,7 @@ args
 arx
 arxcruz
 auth
+authcode
 authfile
 autoconfiguration
 autoheld
@@ -110,6 +112,7 @@ cjeanner
 ckcg
 cli
 client
+clientcredentials
 clusterimageset
 clusterpool
 cmd
@@ -166,6 +169,7 @@ dev
 devscript
 devscripts
 devsetup
+deviceauthz
 dfb
 dfce
 dfg
@@ -299,11 +303,15 @@ junos
 jxe
 jzxbol
 kcgpby
+kctestuser1
+kctestuser2
 keepalived
 kerberos
 keycloak
 keypair
 keyring
+keystoneauth
+keystoneauth1
 keytab
 kinit
 kni
@@ -375,6 +383,7 @@ mtu
 multiline
 multinode
 multipath
+multirealm
 multus
 myorg
 mytest
@@ -423,6 +432,10 @@ ocpbm
 ocppr
 odkvmf
 oidc
+oidcaccesstoken
+oidcauthcode
+oidcclientcredentials
+oidcpassword
 okd
 ol
 olm
@@ -622,6 +635,11 @@ usermod
 usr
 utils
 uuid
+v3oidcaccesstoken
+v3oidcauthcode
+v3oidcclientcredentials
+v3oidcdeviceauthz
+v3oidcpassword
 vbibob
 vbmc
 vcgvuc

diff --git a/roles/federation/README.md b/roles/federation/README.md
@@ -1,4 +1,149 @@
-federation
-=========
+# federation
 
-This role will setup Openstack for user federation. The keycloak system will be used for the IdP provider.
+This role sets up OpenStack Keystone federation with Keycloak (Red Hat SSO) as the Identity Provider.
+
+## Overview
+
+The federation role configures:
+- Keycloak realm(s) with test users and groups
+- Keystone Identity Provider and protocol configuration
+- OIDC authentication for OpenStack CLI
+- Comprehensive authentication testing
+
+## Supported OIDC Authentication Methods
+
+This role supports testing all OIDC authentication methods available in keystoneauth1:
+
+| Plugin Name | Description | Status |
+|-------------|-------------|--------|
+| `v3oidcpassword` | Resource Owner Password Credentials flow | ✅ Supported |
+| `v3oidcclientcredentials` | Client Credentials flow | ✅ Supported |
+| `v3oidcaccesstoken` | Reuse existing access token | ✅ Supported |
+| `v3oidcauthcode` | Authorization Code flow | ✅ Supported |
+| `v3oidcdeviceauthz` | Device Authorization flow (RFC 8628) | ⚠️ Requires Python 3.10+ |
+
+## Variables
+
+### Infrastructure Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_keycloak_namespace` | `openstack` | Kubernetes namespace for Keycloak |
+| `cifmw_federation_run_osp_cmd_namespace` | `openstack` | Kubernetes namespace for openstackclient |
+| `cifmw_federation_domain` | - | Base domain for service URLs |
+
+### Keycloak Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_keycloak_realm` | `openstack` | Primary Keycloak realm name |
+| `cifmw_federation_keycloak_realm2` | `openstack2` | Secondary realm (multirealm mode) |
+| `cifmw_federation_keycloak_admin_username` | `admin` | Keycloak admin username |
+| `cifmw_federation_keycloak_admin_password` | `nomoresecrets` | Keycloak admin password |
+| `cifmw_federation_deploy_multirealm` | `false` | Deploy multiple realms |
+
+### Test Users
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_keycloak_testuser1_username` | `kctestuser1` | Test user 1 username |
+| `cifmw_federation_keycloak_testuser1_password` | `nomoresecrets1` | Test user 1 password |
+| `cifmw_federation_keycloak_testuser2_username` | `kctestuser2` | Test user 2 username |
+| `cifmw_federation_keycloak_testuser2_password` | `nomoresecrets2` | Test user 2 password |
+
+### Keystone Integration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_IdpName` | `kcIDP` | Identity Provider name in Keystone |
+| `cifmw_federation_keystone_domain` | `SSO` | Keystone domain for federated users |
+| `cifmw_federation_mapping_name` | `SSOmap` | Keystone mapping name |
+| `cifmw_federation_project_name` | `SSOproject` | Project for federated users |
+| `cifmw_federation_group_name` | `SSOgroup` | Group for federated users |
+
+### OIDC Client Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_keystone_OIDC_ClientID` | `rhoso` | OIDC client ID |
+| `cifmw_federation_keystone_OIDC_ClientSecret` | `COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f` | OIDC client secret |
+| `cifmw_federation_keystone_OIDC_Scope` | `openid email profile` | OIDC scopes |
+
+### Testing Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cifmw_federation_run_oidc_auth_tests` | `true` | Run OIDC auth tests |
+
+## Task Files
+
+### Main Tasks
+
+- `hook_pre_deploy.yml` - Deploys Keycloak before OpenStack
+- `hook_post_deploy.yml` - Configures federation after OpenStack deployment
+- `hook_controlplane_config.yml` - Adds federation config to control plane
+
+### Setup Tasks
+
+- `run_keycloak_setup.yml` - Deploy Keycloak operator and instance
+- `run_keycloak_realm_setup.yml` - Configure Keycloak realm, users, and client
+- `run_keycloak_client_setup.yml` - Enable advanced client features (Service Accounts, Device Auth)
+- `run_openstack_setup.yml` - Configure Keystone IdP and mappings
+- `run_openstack_auth_setup.yml` - Deploy authentication scripts to openstackclient pod
+
+### Test Tasks
+
+- `run_openstack_oidc_auth_tests.yml` - Comprehensive OIDC authentication test suite
+
+## Authentication Scripts
+
+The following scripts are deployed to `/home/cloud-admin/` in the openstackclient pod:
+
+| Script | Description |
+|--------|-------------|
+| `get-token.sh <user>` | Get token using v3oidcpassword |
+| `oidc-clientcredentials.sh` | Configure v3oidcclientcredentials auth |
+| `oidc-accesstoken.sh <token>` | Configure v3oidcaccesstoken auth |
+| `oidc-authcode.sh <code>` | Configure v3oidcauthcode auth |
+| `get-keycloak-token.sh` | Helper to obtain tokens from Keycloak |
+
+### Example Usage
+
+```bash
+# v3oidcpassword - Password flow
+kubectl exec -n openstack openstackclient -- bash -c \
+  'source /home/cloud-admin/kctestuser1 && openstack token issue'
+
+# v3oidcclientcredentials - Client Credentials flow
+kubectl exec -n openstack openstackclient -- bash -c \
+  'source /home/cloud-admin/oidc-clientcredentials.sh && openstack token issue'
+
+# v3oidcaccesstoken - Access Token flow
+ACCESS_TOKEN=$(/home/cloud-admin/get-keycloak-token.sh access_token kctestuser1 nomoresecrets1)
+kubectl exec -n openstack openstackclient -- bash -c \
+  "source /home/cloud-admin/oidc-accesstoken.sh '$ACCESS_TOKEN' && openstack token issue"
+
+# v3oidcauthcode - Authorization Code flow
+AUTH_CODE=$(/home/cloud-admin/get-keycloak-token.sh auth_code kctestuser1 nomoresecrets1)
+kubectl exec -n openstack openstackclient -- bash -c \
+  "source /home/cloud-admin/oidc-authcode.sh '$AUTH_CODE' && openstack token issue"
+```
+
+## Test Execution
+
+The OIDC authentication tests are automatically run during the `hook_post_deploy.yml` phase when `cifmw_federation_run_oidc_auth_tests` is `true` (default).
+
+To run the tests manually:
+
+```yaml
+- name: Run OIDC authentication tests
+  ansible.builtin.include_role:
+    name: federation
+    tasks_from: run_openstack_oidc_auth_tests.yml
+```
+
+## Notes
+
+- **Device Authorization Flow**: The `v3oidcdeviceauthz` plugin requires keystoneauth1 with Python 3.10+ support. OSP18 ships with Python 3.9 and does not include this plugin.
+- **Multirealm**: CLI-based OIDC authentication testing only works in single realm mode. Multirealm federation is supported for Horizon-based authentication.
+- **Keycloak Client**: The role automatically enables Service Accounts and Device Authorization on the Keycloak client to support all authentication methods.
diff --git a/roles/federation/defaults/main.yml b/roles/federation/defaults/main.yml
@@ -163,3 +163,20 @@ cifmw_federation_keystone_idp1_provider_filename: "keycloak-{{ cifmw_federation_
 cifmw_federation_keystone_idp2_conf_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.conf"
 cifmw_federation_keystone_idp2_client_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.client"
 cifmw_federation_keystone_idp2_provider_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.provider"
+
+# =============================================================================
+# OIDC AUTHENTICATION TESTING
+# =============================================================================
+# Configuration for OIDC authentication method testing
+#
+# When enabled, tests all supported OIDC authentication methods:
+#   - v3oidcpassword: Resource Owner Password Credentials flow
+#   - v3oidcclientcredentials: Client Credentials flow
+#   - v3oidcaccesstoken: Access Token Reuse flow
+#   - v3oidcauthcode: Authorization Code flow
+#
+# Note: v3oidcdeviceauthz (Device Authorization flow) requires Python 3.10+
+# and is not available in OSP18.
+
+# Enable/disable OIDC authentication method tests
+cifmw_federation_run_oidc_auth_tests: true
diff --git a/roles/federation/tasks/hook_post_deploy.yml b/roles/federation/tasks/hook_post_deploy.yml
@@ -84,13 +84,26 @@
 
 # MultiRole CLI testing is not available. It is only currently supported in Horizon.
 # Auth tests only run in single realm mode - not supported in multirealm
-- name: Run federation OSP User Auth test for first realm
+
+# =============================================================================
+# OIDC Authentication Methods Testing
+# =============================================================================
+# Tests all supported OIDC authentication methods when enabled.
+# This requires Keycloak client to be configured for Service Accounts
+# and Device Authorization.
+
+- name: Configure Keycloak client for OIDC auth methods
   ansible.builtin.include_role:
     name: federation
-    tasks_from: run_openstack_auth_test.yml
-  vars:
-    cifmw_federation_keycloak_testuser_username: "{{ item }}"
-  loop:
-    - "{{ cifmw_federation_keycloak_testuser1_username }}"
-    - "{{ cifmw_federation_keycloak_testuser2_username }}"
-  when: not cifmw_federation_deploy_multirealm|bool
+    tasks_from: run_keycloak_client_setup.yml
+  when:
+    - not cifmw_federation_deploy_multirealm | bool
+    - cifmw_federation_run_oidc_auth_tests | default(true) | bool
+
+- name: Run OIDC authentication method tests
+  ansible.builtin.include_role:
+    name: federation
+    tasks_from: run_openstack_oidc_auth_tests.yml
+  when:
+    - not cifmw_federation_deploy_multirealm | bool
+    - cifmw_federation_run_oidc_auth_tests | default(true) | bool