Below are some sample use cases for how a client and service interact with the OpenStack Identity service, Keystone:
Here is an example of the default authentication sequence. The flow starts with the client knowing only their credentials and the URL to Keystone. The client sends their credentials to Keystone and get back a default token. That default token is then used to get a list of tenants the user has access to. The use then authenticates again this time specifying the tenant they want to authenticate against and they get a token that is scoped to that tenant. That token gives them the necessary rights to perform operations on that tenant (like create a VM under that tenant in Nova). Authenticating against the tenant also returns a service catalog which has a list of all the endpoints the client can go to to manage resources under that tenant. The client then picks an endpoint (in the diagram, they choose the nova endpoint) and perform operations (like create instance to create a VM). When the client makes that call, they pass in the token. The service, nova in this example, checks with Keystone to see if the token is valid. Keystone responds and also returns additional information like the user name, the roles they have, etc... Nova them decides based on that information if the user and token have the necessary rights to perform the operation and if they do, goes ahead and performs the operation.
This shows a similar sequence to the one above but with a shortcut. In this case the client knows their tenant and goes ahead and gets a scoped token in the first step and then calls nova right after to perform their operations. This is a common use case since many clients may already know their tenant Id or Name.
This third sequence is slightly different. In this situation, the client knows the URL for Nova, but not necessarily what authentication protocols are supported or the Keystone URL. The flow is a lot like how browsers negotiate with web servers. They client sends an unauthenticated call to Nova and Nova responds with a 401 listing the supported protocols in a list of WWW-Authenticate headers. If Basic Auth is supported, this would be returned:
WWW-Authenticate: Basic
In the case of Keystone authententiction, the returned header will say the Keystone protocol is supported and list the Keystone URL:
WWW-Authenticate: Keystone uri="https://identity.example.com:35357/"
The client then goes to that URL and retrieves a token and repeats the call to Nova, but this time providing the necessary token.
