[openstack-dev] [keystone] Custom ProjectID upon creation

David Stanek dstanek at dstanek.com
Mon Dec 5 21:32:22 UTC 2016

On 05-Dec 15:14, Lance Bragstad wrote:
> I put myself in Boris' camp on this one. This can open up the opportunity
> for negative user-experience, purely based on where I authenticate and
> which token I happen to authenticate with. A token would no longer be
> something I can assume to be properly validated against any node in my
> deployment. Now, when I receive a 401 Unauthorized, is it because the token
> is actually invalid, did I use the wrong endpoint, or did I use a token
> with the wrong scope for the endpoint I wanted to interact with?

I agree. I think having different behavior for tokens based on scope
will not only lead to bad user experiences, but will lead to baking in
those rules into the client. Someone will propose this as soon as they
get confused by the token 401ing unexpectedly. 

david stanek
web: http://www.dstanek.com
blog: http://www.traceback.org

More information about the OpenStack-dev mailing list