Hi, I'd like to check in on this authentication mechanism. Keystone should have some kind of apiKey in order to prevent developer from storing their credential (username/password) in clear text configuration file. There are two blueprints that can tackle this feature, yet they are both in needs of approval https://blueprints.launchpad.net/keystone/+spec/access-key-authentication https://blueprints.launchpad.net/keystone/+spec/password-rotation I believe the access-key-authentication have been superseded by the password-rotation. Meaning: * The user create a secondary password. * He can use this new password to authenticate API request with the credential_id + password. * He won't be able to login to Horizon as it will try to authenticate with the user_id + password (Keystone will match those against the "default_credential_id".) * API request like password change should be denied if the user didn't used his "default_credential_id". Did I get this right ? Best regards, Tristan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140116/3de6de18/attachment.pgp>