The issue with having un-managed number of tokens for same credential is that it can be easily exploited. Getting a token is one of initial step (gateway) to get access to services. A rogue client can keep creating unlimited number of tokens and possibly create denial of service attack on services. If there are somewhat limited number of tokens, then cloud provider can possibly use tokenId based rate-limiting approach. Extending the expiry to some fixed interval might be okay as that can be considered as continuing user session similar to what is seen when a user keeps browsing an application while logged in. -Arun From: Adam Young <ayoung at redhat.com> Reply-To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org> Date: Friday, June 14, 2013 3:33 PM To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org> Subject: Re: [openstack-dev] [Keystone][Folsom] Token re-use On 06/13/2013 07:58 PM, Ravi Chunduru wrote: Hi, We are having Folsom setup and we find that our token table increases a lot. I understand client can re-use the token but why doesnt keystone reuse the token if client asks it with same credentials.. I would like to know if there is any reason for not doing so. Thanks in advance, -- Ravi _______________________________________________ OpenStack-dev mailing list OpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/ listinfo/openstack-dev You can cache the token on the client side and reuse. Tokens have a an expiry, so if you request a new token, you extend the expiry. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130619/295d6574/attachment.html> -------------- next part -------------- _______________________________________________ OpenStack-dev mailing list OpenStack-dev at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6186 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130619/295d6574/attachment.bin>