### Install Keystone Middleware Source: https://context7.com/openstack/keystonemiddleware/llms.txt Install the basic package or with optional dependencies for audit notifications or memcache encryption. ```bash pip install keystonemiddleware ``` ```bash pip install keystonemiddleware[audit_notifications] ``` ```bash pip install keystonemiddleware[memcache_encryption] ``` -------------------------------- ### Install Keystone Middleware with Audit Notifications Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/installation.md Install the Keystone Middleware with the necessary dependencies to support audit notifications. ```bash $ pip install keystonemiddleware[audit_notifications] ``` -------------------------------- ### Install Keystone Middleware with Memcache Encryption Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/installation.md Install the Keystone Middleware with the necessary dependencies to support memcache encryption. ```bash $ pip install keystonemiddleware[memcache_encryption] ``` -------------------------------- ### Configure auth_token with password authentication Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Example configuration for the auth_token middleware using the password authentication type. ```ini [keystone_authtoken] auth_type = password project_domain_name = Default project_name = service user_domain_name = Default username = nova password = ServicePassword interface = public auth_url = http://127.0.0.1:5000 # Any of the options that could be set in api-paste.ini can be set here. ``` -------------------------------- ### Install Keystone Middleware using pip Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/installation.md Use this command to install the base Keystone Middleware package. It can be used directly or within a virtual environment. ```bash $ pip install keystonemiddleware ``` ```bash $ mkvirtualenv keystonemiddleware $ pip install keystonemiddleware ``` -------------------------------- ### Keystone AuthToken Configuration Example Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.auth_token.md This INI configuration is used for the keystone_authtoken middleware. It specifies authentication plugin, URL, and credentials. ```ini [keystone_authtoken] auth_plugin = password auth_url = http://keystone:5000/ username = nova user_domain_id = default password = whyarewestillusingpasswords project_name = service project_domain_id = default ``` -------------------------------- ### CADF Audit Event Structure Source: https://context7.com/openstack/keystonemiddleware/llms.txt Example of a generated CADF audit event dictionary. ```python # Example CADF audit event generated by middleware cadf_event = { 'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'eventType': 'activity', 'action': 'read', 'outcome': 'success', 'initiator': { 'id': 'user-uuid', 'typeURI': 'service/security/account/user', 'name': 'admin', 'project_id': 'project-uuid', 'domain_id': 'domain-uuid' }, 'target': { 'id': 'nova://server-uuid', 'typeURI': 'service/compute/servers', 'name': 'my-server' }, 'observer': { 'id': 'target' }, 'eventTime': '2024-01-15T10:30:00.000000+00:00', 'reason': { 'reasonType': 'HTTP', 'reasonCode': '200' } } ``` -------------------------------- ### Configuring External OAuth 2.0 Authorization Server Middleware Source: https://context7.com/openstack/keystonemiddleware/llms.txt Sets up the ext_oauth2_token filter and provides the configuration for external token introspection. ```ini [pipeline:main] pipeline = ext_oauth2_token myService [filter:ext_oauth2_token] paste.filter_factory = keystonemiddleware.external_oauth2_token:filter_factory ``` ```ini [ext_oauth2_auth] # Introspection endpoint of external authorization server introspect_endpoint = https://auth-server.example.com/oauth2/introspect audience = https://auth-server.example.com/oauth2/token # Authentication method: client_secret_basic, client_secret_post, # tls_client_auth, private_key_jwt, client_secret_jwt auth_method = client_secret_basic client_id = my-service-client client_secret = client-secret-here # For mTLS authentication certfile = /etc/ssl/client.crt keyfile = /etc/ssl/client.key cafile = /etc/ssl/ca-bundle.crt # Optional: Verify certificate thumbprint binding thumbprint_verify = false # Token-to-identity field mapping mapping_user_id = client_id mapping_user_name = username mapping_user_domain_id = user_domain_id mapping_user_domain_name = user_domain_name mapping_roles = scope mapping_project_id = project_id mapping_project_name = project_name mapping_project_domain_id = project_domain_id mapping_project_domain_name = project_domain_name # Caching configuration memcached_servers = localhost:11211 token_cache_time = 300 ``` -------------------------------- ### List Auth Token Options Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.md Retrieves the list of available configuration options for the auth token middleware. ```APIDOC ## list_auth_token_opts() ### Description Returns a list of configuration options supported by the auth token middleware. ### Endpoint keystonemiddleware.opts.list_auth_token_opts ``` -------------------------------- ### Manual Middleware Instantiation with AuthProtocol Source: https://context7.com/openstack/keystonemiddleware/llms.txt Manually instantiate the AuthProtocol middleware with a configuration dictionary to wrap your WSGI application. ```python from keystonemiddleware import auth_token def create_app(): # Your WSGI application app = MyWSGIApplication() # Configuration dictionary conf = { 'auth_type': 'password', 'auth_url': 'http://keystone:5000', 'username': 'nova', 'password': 'ServicePassword', 'user_domain_name': 'Default', 'project_name': 'service', 'project_domain_name': 'Default', 'www_authenticate_uri': 'http://keystone:5000', 'memcached_servers': 'localhost:11211', 'token_cache_time': '300', } # Wrap application with auth_token middleware return auth_token.AuthProtocol(app, conf) ``` -------------------------------- ### Include Audit Filter in WSGI Pipeline Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/audit.md Example of integrating the audit filter into a WSGI pipeline definition within Nova's api-paste.ini. It should follow the auth_token middleware. ```default [composite:openstack_compute_api_v2] use = call:nova.api.auth:pipeline_factory noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2 keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2 ``` -------------------------------- ### Configure JWT Authentication Source: https://context7.com/openstack/keystonemiddleware/llms.txt Settings for enabling private_key_jwt authentication method. ```ini [ext_oauth2_auth] auth_method = private_key_jwt client_id = my-service-client jwt_key_file = /etc/ssl/jwt-signing-key.pem jwt_algorithm = RS256 jwt_bearer_time_out = 3600 ``` -------------------------------- ### Configure auth_token in service configuration file Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Sets the authentication strategy and credentials for the auth_token middleware in the main service configuration file. ```ini [DEFAULT] auth_strategy=keystone [keystone_authtoken] identity_uri = http://127.0.0.1:5000 admin_user = admin admin_password = SuperSekretPassword admin_tenant_name = service # Any of the options that could be set in api-paste.ini can be set here. ``` -------------------------------- ### Using filter_factory with paste.deploy Source: https://context7.com/openstack/keystonemiddleware/llms.txt Implement an app_factory function to integrate the auth_token middleware using paste.deploy. ```python from keystonemiddleware.auth_token import filter_factory def app_factory(global_conf, **local_conf): app = MyWSGIApplication() auth_filter = filter_factory(global_conf, **local_conf) return auth_filter(app) ``` -------------------------------- ### Configure AuditMiddleware Source: https://context7.com/openstack/keystonemiddleware/llms.txt Instantiate AuditMiddleware to generate CADF audit events for WSGI applications. Requires an audit map file to define resource mappings and actions. ```python from keystonemiddleware.audit import AuditMiddleware, filter_factory # Manual instantiation def create_audited_app(): app = MyWSGIApplication() audit_conf = { 'audit_map_file': '/etc/myservice/api_audit_map.conf', 'service_name': 'myservice', 'ignore_req_list': 'GET,HEAD', # Skip auditing for these methods 'ignore_path_list': '/healthcheck,/metrics', # Skip these paths } return AuditMiddleware(app, **audit_conf) ``` ```ini [DEFAULT] target_endpoint_type = myservice [path_keywords] resources = resource_id items = item_id [service_endpoints] myservice = service/myservice [custom_actions] # Map HTTP method + path pattern to CADF action POST:/resources = create GET:/resources = read/list GET:/resources/{resource_id} = read PUT:/resources/{resource_id} = update DELETE:/resources/{resource_id} = delete ``` -------------------------------- ### List Auth Token Options Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.auth_token.md Retrieves a list of all oslo_config options available for the auth_token middleware. Each option is returned as a tuple containing the group name and the options within that group. A group name of None indicates the [DEFAULT] group. ```APIDOC ## keystonemiddleware.auth_token.list_opts() ### Description Return a list of oslo_config options available in auth_token middleware. The returned list includes all oslo_config options which may be registered at runtime by the project. Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files. NOTE: This function is no longer used for oslo_config sample generation. Some services rely on this function for listing ALL (including deprecated) options and registering them into their own config objects which we do not want for sample config files. See: `keystonemiddleware.auth_token._opts.list_opts()` for sample config files. ### Returns: a list of (group_name, opts) tuples ``` -------------------------------- ### Configure Keystone Authentication Settings Source: https://context7.com/openstack/keystonemiddleware/llms.txt Configure authentication type, URL, credentials, and caching options in your service's configuration file (e.g., nova.conf). ```ini [DEFAULT] auth_strategy = keystone [keystone_authtoken] auth_type = password auth_url = http://keystone.example.com:5000 username = nova password = ServicePassword user_domain_name = Default project_name = service project_domain_name = Default www_authenticate_uri = http://keystone.example.com:5000 interface = internal delay_auth_decision = false memcached_servers = localhost:11211 token_cache_time = 300 memcache_security_strategy = ENCRYPT memcache_secret_key = your-secret-key-here service_token_roles = service service_token_roles_required = true enforce_token_bind = permissive ``` -------------------------------- ### Configuring OAuth 2.0 Token Middleware Source: https://context7.com/openstack/keystonemiddleware/llms.txt Sets up the oauth2_token filter in the pipeline to handle Bearer token authentication. ```ini [pipeline:main] pipeline = oauth2_token myService [filter:oauth2_token] paste.filter_factory = keystonemiddleware.oauth2_token:filter_factory ``` -------------------------------- ### Run the echo service Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.echo.service.md Executes the echo service on port 8000 using the python module command. ```default $ python -m keystonemiddleware.echo ``` -------------------------------- ### AuthProtocol Class Initialization Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.auth_token.md Initializes the AuthProtocol middleware, which handles client call authentication. It inherits from BaseAuthProtocol. ```python keystonemiddleware.auth_token.AuthProtocol(app, conf) ``` -------------------------------- ### Configure TLS and SASL for Memcached Source: https://context7.com/openstack/keystonemiddleware/llms.txt Enable TLS and SASL authentication for secure memcached connections. Specify CA file, client certificate, and key file for TLS, and username and password for SASL. ```ini memcache_tls_enabled = true memcache_tls_cafile = /etc/ssl/memcached-ca.crt memcache_tls_certfile = /etc/ssl/memcached-client.crt memcache_tls_keyfile = /etc/ssl/memcached-client.key memcache_sasl_enabled = true memcache_username = myservice memcache_password = memcache-password ``` -------------------------------- ### Configure Pipeline with ext_oauth2_token Filter Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Use this configuration to replace the default authtoken filter with the ext_oauth2_token filter in your pipeline. This is typically done in the `keystone.conf` file. ```ini [pipeline:main] pipeline = ext_oauth2_token myService [filter:ext_oauth2_token] paste.filter_factory = keystonemiddleware.external_oauth2_token:filter_factory ``` -------------------------------- ### Accessing Identity Information in WSGI Applications Source: https://context7.com/openstack/keystonemiddleware/llms.txt Demonstrates how to retrieve authentication status and user identity attributes from the WSGI environment. ```python def my_wsgi_app(environ, start_response): # Check if request was authenticated identity_status = environ.get('HTTP_X_IDENTITY_STATUS', 'Invalid') if identity_status != 'Confirmed': start_response('401 Unauthorized', [('Content-Type', 'text/plain')]) return [b'Authentication required'] # Access user information user_id = environ.get('HTTP_X_USER_ID') user_name = environ.get('HTTP_X_USER_NAME') project_id = environ.get('HTTP_X_PROJECT_ID') roles = environ.get('HTTP_X_ROLES', '').split(',') # Access full token info token_info = environ.get('keystone.token_info', {}) # Use token_auth plugin for making authenticated requests to other services token_auth = environ.get('keystone.token_auth') # Your application logic here response_body = f'Hello {user_name} from project {project_id}' start_response('200 OK', [('Content-Type', 'text/plain')]) return [response_body.encode()] ``` -------------------------------- ### Configure auth_token filter in paste-deploy Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Defines the filter factory for the auth_token middleware within a paste-deploy configuration file. ```ini [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory ``` -------------------------------- ### External OAuth2 Authentication Server Configuration Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Configure the `[ext_oauth2_auth]` section to specify settings for communicating with an external OAuth2 authorization server. This includes details for TLS/SSL, token introspection, client authentication, and attribute mapping. ```ini [ext_oauth2_auth] # Required if identity server requires client certificate. #certfile = # Required if identity server requires client private key. #keyfile = # A PEM encoded Certificate Authority to use when verifying HTTPs # connections. Defaults to system CAs. #cafile = # Verify HTTPS connections. #insecure = False # Request timeout value for communicating with Identity API server. #http_connect_timeout = # The endpoint for introspect API, it is used to verify that the OAuth 2.0 # access token is valid. #introspect_endpoint = # The Audience should be the URL of the Authorization Server's Token # Endpoint. The Authorization Server will verify that it is an intended # audience for the token. #audience = # The auth_method must use the authentication method specified by the # Authorization Server. The system supports 5 authentication methods such # as tls_client_auth, client_secret_basic, client_secret_post, # client_secret_jwt, private_key_jwt. #auth_method = client_secret_basic # The OAuth 2.0 Client Identifier valid at the Authorization Server. #client_id = # The OAuth 2.0 client secret. When the auth_method is client_secret_basic, # client_secret_post, or client_secret_jwt, the value is used, and # otherwise the value is ignored. #client_secret = # If the access token generated by the Authorization Server is bound to the # OAuth 2.0 certificate thumbprint, the value can be set to true, and then # the keystone middleware will verify the thumbprint. #thumbprint_verify = False # The jwt_key_file must use the certificate key file which has been # registered with the Authorization Server. When the auth_method is # private_key_jwt, the value is used, and otherwise the value is ignored. #jwt_key_file = # The jwt_algorithm must use the algorithm specified by the Authorization # Server. When the auth_method is client_secret_jwt, this value is often # set to HS256, when the auth_method is private_key_jwt, the value is often # set to RS256, and otherwise the value is ignored. #jwt_algorithm = # This value is used to calculate the expiration time. If after the # expiration time, the access token can not be accepted. When the # auth_method is client_secret_jwt or private_key_jwt, the value is used, # and otherwise the value is ignored. #jwt_bearer_time_out = 3600 # Specifies the method for obtaining the project ID that currently needs # to be accessed. #mapping_project_id = # Specifies the method for obtaining the project name that currently needs # to be accessed. #mapping_project_name = # Specifies the method for obtaining the project domain ID that currently # needs to be accessed. #mapping_project_domain_id = # Specifies the method for obtaining the project domain name that currently # needs to be accessed. #mapping_project_domain_name = # Specifies the method for obtaining the user ID. #mapping_user_id = client_id # Specifies the method for obtaining the user name. #mapping_user_name = username # Specifies the method for obtaining the domain ID which the user belongs. #mapping_user_domain_id = # Specifies the method for obtaining the domain name which the user # belongs. #mapping_user_domain_name = # Specifies the method for obtaining the list of roles in a project or # domain owned by the user. #mapping_roles = # Specifies the method for obtaining the scope information indicating # whether a token is system-scoped. #mapping_system_scope = # Specifies the method for obtaining the token expiration time. #mapping_expires_at = # Optionally specify a list of memcached server(s) to use for caching. # If left undefined, tokens will instead be cached in-process. #memcached_servers = # In order to prevent excessive effort spent validating tokens, the # middleware caches previously-seen tokens for a configurable duration # (in seconds). Set to -1 to disable caching completely. #token_cache_time = 300 # (Optional) If defined, indicate whether token data should be # authenticated or authenticated and encrypted. If MAC, token data is # authenticated (with HMAC) in the cache. If ENCRYPT, token data is # encrypted and authenticated in the cache. If the value is not one of # these options or empty, auth_token will raise an exception on # initialization. #memcache_security_strategy = # (Optional, mandatory if memcache_security_strategy is defined) # This string is used for key derivation. #memcache_secret_key = ``` -------------------------------- ### Configure auth_token Middleware in paste.ini Source: https://context7.com/openstack/keystonemiddleware/llms.txt Define the authtoken filter and pipeline in your service's api-paste.ini file to enable Keystone token validation. ```ini [app:myService] paste.app_factory = myService:app_factory [pipeline:main] pipeline = authtoken myService [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory ``` -------------------------------- ### Configure Service Token Support Source: https://context7.com/openstack/keystonemiddleware/llms.txt Enable service token support for composite authentication. Specify required roles for service tokens and the service type for access rule validation. ```ini [keystone_authtoken] # Roles required for valid service tokens service_token_roles = service,admin service_token_roles_required = true # Service type for access rule validation service_type = compute ``` -------------------------------- ### AuthProtocol.fetch_token Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.auth_token.md Retrieves token information from either a PKI bundle or the identity server. ```APIDOC ## fetch_token(token, allow_expired=False) ### Description Retrieve a token from either a PKI bundle or the identity server. ### Parameters - **token** (str) - Required - The token ID to validate. - **allow_expired** (bool) - Optional - Whether to allow expired tokens. ### Response - **Raises** (exc.InvalidToken) - Raised if the token is rejected. ``` -------------------------------- ### BaseAuthProtocol Class Initialization Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.auth_token.md Initializes the BaseAuthProtocol class, which serves as a base for token checking implementations. It accepts the WSGI application, logging object, and token binding enforcement style. ```python keystonemiddleware.auth_token.BaseAuthProtocol(app, log=, enforce_token_bind='permissive', service_token_roles=None, service_token_roles_required=False, service_type=None) ``` -------------------------------- ### keystonemiddleware.echo.service Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.echo.md Provides the EchoService class and echo_app function for handling echo requests. ```APIDOC ## keystonemiddleware.echo.service ### Description This module provides the EchoService class and the echo_app function, which are used to echo back request information for debugging and testing purposes within the middleware stack. ### Components - **EchoService**: A service class designed to handle echo operations. - **echo_app()**: A factory function or application entry point for the echo service. ``` -------------------------------- ### Make Requests with User and Service Tokens Source: https://context7.com/openstack/keystonemiddleware/llms.txt Forward a user request with both the original user token and the service's own token. The middleware will set service identity headers based on the service token. ```python # Making requests with both user and service tokens import requests # Service authenticates to get its own token service_token = get_service_token() # Forward user request with both tokens response = requests.get( 'http://other-service:8080/api/resource', headers={ 'X-Auth-Token': user_token, # Original user token 'X-Service-Token': service_token # Service's own token } ) # Middleware sets additional headers for service identity: # HTTP_X_SERVICE_IDENTITY_STATUS = "Confirmed" # HTTP_X_SERVICE_USER_ID = "service-user-uuid" # HTTP_X_SERVICE_USER_NAME = "nova" # HTTP_X_SERVICE_PROJECT_ID = "service-project-uuid" # HTTP_X_SERVICE_ROLES = "service" ``` -------------------------------- ### List Audit Options Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.audit.md Retrieves a list of available oslo_config options for the audit middleware. ```APIDOC ### keystonemiddleware.audit.list_opts() ### Description Return a list of oslo_config options available in audit middleware. The returned list includes all oslo_config options which may be registered at runtime by the project. Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files. ### Method GET ### Endpoint N/A (Function call) ### Parameters None ### Request Example None ### Response #### Success Response (200) - **list** (list) - A list of (group_name, opts) tuples. #### Response Example None ``` -------------------------------- ### Making OAuth 2.0 Bearer Token Requests Source: https://context7.com/openstack/keystonemiddleware/llms.txt Shows the process of obtaining an access token from Keystone and using it in the Authorization header for subsequent requests. ```python import requests # Client authenticates with Keystone to get OAuth 2.0 access token token_response = requests.post( 'http://keystone:5000/v3/auth/tokens', json={ 'auth': { 'identity': { 'methods': ['application_credential'], 'application_credential': { 'id': 'app-cred-id', 'secret': 'app-cred-secret' } } } } ) access_token = token_response.headers['X-Subject-Token'] # Use Bearer token in requests to protected services response = requests.get( 'http://nova:8774/v2.1/servers', headers={'Authorization': f'Bearer {access_token}'} ) ``` -------------------------------- ### Keystonemiddleware Exception Classes Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/api/keystonemiddleware.exceptions.md Overview of the exception hierarchy used for error handling in the keystonemiddleware module. ```APIDOC ## Exception: KeystoneMiddlewareException ### Description Base exception class for all exceptions raised by the keystonemiddleware module. ### Base Class Exception --- ## Exception: ConfigurationError ### Description Raised when there is an error in the configuration of the middleware. ### Base Class KeystoneMiddlewareException ``` -------------------------------- ### Configure oslo.config project for middleware Source: https://github.com/openstack/keystonemiddleware/blob/master/doc/source/middlewarearchitecture.md Specifies the oslo.config project name for services that do not use the global configuration object. ```ini [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory oslo_config_project = nova # oslo_config_file = /not_discoverable_location/nova.conf ``` -------------------------------- ### Configure Memcached for Token Caching Source: https://context7.com/openstack/keystonemiddleware/llms.txt Set memcached parameters in the [keystone_authtoken] section to improve performance. Ensure security strategies are configured when using sensitive data. ```ini [keystone_authtoken] # Memcached server list memcached_servers = memcached1:11211,memcached2:11211 # Cache duration in seconds (-1 to disable) token_cache_time = 300 # Security: MAC (authenticate) or ENCRYPT (encrypt + authenticate) memcache_security_strategy = ENCRYPT memcache_secret_key = your-32-char-secret-key-here-xx # Connection pool settings memcache_pool_dead_retry = 300 memcache_pool_maxsize = 10 memcache_pool_socket_timeout = 3 memcache_pool_unused_timeout = 60 memcache_pool_conn_get_timeout = 10 memcache_use_advanced_pool = true ``` -------------------------------- ### Enable Audit Middleware in Pipeline Source: https://context7.com/openstack/keystonemiddleware/llms.txt Add the audit filter to the paste pipeline configuration. ```ini # api-paste.ini - Add audit filter after auth_token [pipeline:main] pipeline = authtoken keystonecontext audit myService [filter:audit] paste.filter_factory = keystonemiddleware.audit:filter_factory audit_map_file = /etc/nova/api_audit_map.conf service_name = nova ignore_req_list = GET,HEAD ``` -------------------------------- ### Handle Delegated Authentication in WSGI App Source: https://context7.com/openstack/keystonemiddleware/llms.txt Implement application logic to handle delegated authentication decisions. Check the `HTTP_X_IDENTITY_STATUS` header and allow anonymous access to specific paths if needed. ```python # Application handling delegated auth decisions def my_wsgi_app(environ, start_response): identity_status = environ.get('HTTP_X_IDENTITY_STATUS', 'Invalid') # In delegated mode, invalid tokens pass through with status = 'Invalid' if identity_status != 'Confirmed': # Check if this endpoint allows anonymous access path = environ.get('PATH_INFO', '') if path in ['/health', '/metrics', '/public']: # Allow anonymous access to these endpoints pass else: # Reject unauthenticated request start_response('401 Unauthorized', [ ('Content-Type', 'application/json'), ('WWW-Authenticate', 'Keystone uri="http://keystone:5000"') ]) return [b'{"error": "Authentication required"}'] # Process authenticated request user_id = environ.get('HTTP_X_USER_ID') # ... application logic ``` -------------------------------- ### Configuring OAuth 2.0 mTLS Middleware Source: https://context7.com/openstack/keystonemiddleware/llms.txt Configures the oauth2_mtls_token filter for mutual TLS client certificate binding. ```ini [pipeline:main] pipeline = oauth2_mtls_token myService [filter:oauth2_mtls_token] paste.filter_factory = keystonemiddleware.oauth2_mtls_token:filter_factory ``` -------------------------------- ### Configure Audit Notifications Source: https://context7.com/openstack/keystonemiddleware/llms.txt Define notification drivers and transport settings for audit events. ```ini # nova.conf - Configure audit notifications [audit_middleware_notifications] # Use oslo.messaging for notifications (requires oslo.messaging package) use_oslo_messaging = true driver = messagingv2 topics = notifications # Or use log driver to write audit events to log file # driver = log # Custom transport URL if different from service messaging # transport_url = rabbit://user:pass@host:5672/vhost ```