[openstack-dev] [Keystone] Reviewers wanted: Delegated Auth a la Oauth

Dolph Mathews dolph.mathews at gmail.com
Sat Aug 24 20:11:17 UTC 2013

On Fri, Jun 14, 2013 at 9:45 AM, David Chadwick <d.w.chadwick at kent.ac.uk>wrote:
> 2. Step 1b. How does the delegate know which role to request? This is
> unintuitive. A delegator (rather than delegate) knows the role he wants to
> delegate. One would normally expect the delegator to request Keystone to
> delegate this role to the named delegate, rather than the delegate asking
> for a role to be delegated to it, since it requires an out of band
> communications between the delegator and delegate to take place before the
> delegation, in which the delegator tells the delegate its un/pw and the
> role it should ask for. This seems to be a rather contrived exchange of
> messages.

Now that the OAuth implementation has merged, I came back to this
conversation to check that everything was addressed... this issue was
definitely not!

I'd suggest revising the spec to delete the consumer's requested_role_ids
in favor of the delegator specifying the roles to be delegated on the
requested project ID.

I opened a bug for tracking-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130824/22aa2500/attachment.html>

More information about the OpenStack-dev mailing list