[openstack-dev] [Keystone] V3 auth API design input

Adam Young ayoung at redhat.com
Wed Jan 23 21:14:27 UTC 2013

Tokens are not where we want Keystone to be long term.  Since they are 
bearer tokens, they are susceptible to relay attacks.  Thus, I don't 
want the authentication process bound to only producing tokens.

If we do /v3/authn/tokens  as the API for creating new tokens, we can do
/v3/authn/X509 or something else in the future.

Also, the token format should be nailed down, and simplified from the 
artifacts that the current tokens contain.  We need to remove the term 
metadata from usage, and instead talk in terms of the contents of the 
token itself.

Here's a strawman.
user : { id,  other user specific attributes },
domain : {id},
project : { roles [role ids]},
     compute: [https://nova/endpoint],
     identity: [https://keystone/endpoint],

More information about the OpenStack-dev mailing list