Adding Multi-Factor Authentication Rules to Keystone Users via Custom Options
Introduction
Keystone has a concept of authentication plug-ins and there can be quite a few of them used separately for user authentication based on a method selected in API/CLI/UI.
When it comes to multi-factor authentication (MFA) it used to be that this could only be done via an identity provider’s own MFA method which implied that you already use SAML or OIDC and forward a user to an external authentication service from which signed response contents are provided to Keystone. This approach effectively removes the credential validation part from Keystone and it only validates the result of an authentication.
Native per-user MFA
There was some work done for the Ocata cycle to enable support for multiple authentication methods on a per-user basis. Since Keystone by itself can use a database to perform password validation and other means of authentication (such as TOTP with Google Authenticator) it should be possible to use both methods for a single user. However, there needs to be some metadata associated with a user and logic to use that metadata for Keystone to decide which methods to use to authenticate a user. This is what those changes were about.
Adding Options to Users
There is a special “options” resource stored in the Keystone database for a given user which is not documented in the Keystone API reference at the time of writing. This resource can store MFA-related options such as multi_factor_auth_rules. The documented usage references are scarce but this one came up:
At the time of writing there is no way to specify custom options for new users or for user updates via OpenStack CLI or via Horizon. The only way is to use the Keystone API directly in an undocumented way:
This could be used to combine password authentication with TOTP or other authentication methods. Using SAML with TOTP also comes to mind if there is no MFA configured on the identity provider side.