[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.

Marco Fargetta Marco.Fargetta at ct.infn.it
Mon Jul 7 09:39:37 UTC 2014


On Fri, Jul 04, 2014 at 06:13:30PM -0400, Adam Young wrote:
> Unscoped tokens are really a proxy for the Horizon session, so lets
> treat them that way.
> 
> 
> 1.  When a user authenticates unscoped, they should get back a list
> of their projects:
> 
> some thing along the lines of:
> 
> domains [{   name = d1,
>                  projects [ p1, p2, p3]},
>                {   name = d2,
>                  projects [ p4, p5, p6]}]
> 
> Not the service catalog.  These are not in the token, only in the
> response body.
> 
> 
> 2.  Unscoped tokens are only initially via HTTPS and require client
> certificate validation or Kerberos authentication from Horizon.
> Unscoped tokens are only usable from the same origin as they were
> originally requested.
> 
> 
> 3.  Unscoped tokens should be very short lived:  10 minutes.
> Unscoped tokens should be infinitely extensible:   If I hand an
> unscoped token to keystone, I get one good for another 10 minutes.
> 

Using this time limit horizon should extend all the unscoped token
every x min (with x< 10). Is this useful or could be long lived but
revocable by Keystone? In this case, after the unscoped token is
revoked it cannot be used to get a scoped token.




> 
> 4.  Unscoped tokens are only accepted in Keystone.  They can only be
> used to get a scoped token.  Only unscoped tokens can be used to get
> another token.
> 
> 
> Comments?
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-- 
====================================================
Eng. Marco Fargetta, PhD
 
Istituto Nazionale di Fisica Nucleare (INFN)
Catania, Italy

EMail: Marco.Fargetta at ct.infn.it
====================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5483 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140707/034c8f84/attachment.bin>


More information about the OpenStack-dev mailing list