Public bug reported: On keystone configured with OIDC federated login and disable_user_account_days_inactive, accounts become disabled after the specified number of days even if users regularly access accounts with OIDC login. OIDC login does not count as activity, nor does token authentication. It seems direct authentication with username/password is expected for activity.
>From a review of the source, it appears there are 2 cases where keystone updates last_active_at in the database. The first is authenticating with a password: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L900-L908 The second is when a federated (e.g. OIDC) login happens for an ephemeral user: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1486-L1512 We use federated users but we map them to existing local keystone users in the default domain - so they're not ephemeral. To confirm, I switched our mapping to ephemeral. With mapping set to ephemeral, logging into OIDC does update the last_active_at field, but it creates a second user account in a separate domain, and this is not our use case. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1902261 Title: Federated identity login does not prevent disabling account due to inactivity Status in OpenStack Identity (keystone): New Bug description: On keystone configured with OIDC federated login and disable_user_account_days_inactive, accounts become disabled after the specified number of days even if users regularly access accounts with OIDC login. OIDC login does not count as activity, nor does token authentication. It seems direct authentication with username/password is expected for activity. From a review of the source, it appears there are 2 cases where keystone updates last_active_at in the database. The first is authenticating with a password: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L900-L908 The second is when a federated (e.g. OIDC) login happens for an ephemeral user: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1486-L1512 We use federated users but we map them to existing local keystone users in the default domain - so they're not ephemeral. To confirm, I switched our mapping to ephemeral. With mapping set to ephemeral, logging into OIDC does update the last_active_at field, but it creates a second user account in a separate domain, and this is not our use case. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1902261/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
