[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.
Adam Young
ayoung at redhat.com
Fri Jul 4 22:13:30 UTC 2014
Unscoped tokens are really a proxy for the Horizon session, so lets
treat them that way.
1. When a user authenticates unscoped, they should get back a list of
their projects:
some thing along the lines of:
domains [{ name = d1,
projects [ p1, p2, p3]},
{ name = d2,
projects [ p4, p5, p6]}]
Not the service catalog. These are not in the token, only in the
response body.
2. Unscoped tokens are only initially via HTTPS and require client
certificate validation or Kerberos authentication from Horizon. Unscoped
tokens are only usable from the same origin as they were originally
requested.
3. Unscoped tokens should be very short lived: 10 minutes. Unscoped
tokens should be infinitely extensible: If I hand an unscoped token to
keystone, I get one good for another 10 minutes.
4. Unscoped tokens are only accepted in Keystone. They can only be
used to get a scoped token. Only unscoped tokens can be used to get
another token.
Comments?
More information about the OpenStack-dev
mailing list