[openstack-dev] [keystone] External authentication
ayoung at redhat.com
Thu Nov 14 18:05:03 UTC 2013
On 11/14/2013 10:52 AM, Álvaro López García wrote:
> Hi all,
> During the review of  I had a look at the tests that are related
> with external authentication (i.e. the usage of REMOTE_USER) in
> Keystone and I realised that there is a bunch of them that are setting
> "external" as one of the authentication methods. However, in
> keystone.auth.controllers there is an explicit call to the "external"
> methods whenever REMOTE_USER is set .
> Should we call the external authentication only when "external" is set
> (i.e. in ) regardless of the REMOTE_USER presence in the context?
I'd like to. We made a decision to make the user explicitly enable
External authentication in the config, but there is no reason that it
would have to extend to the request body itself.
In theory we could do token creation request with no Body at all, the
same way we do role assignments:
To create a project scoped token
And to create a domain token
Would work very well with Basic-Auth or other External formats. Then the
Body would only have to contain any mitigating factors, like a shorter
expiry or reduced set of roles.
More information about the OpenStack-dev