[openstack-dev] [keystone] Custom ProjectID upon creation
dstanek at dstanek.com
Mon Dec 5 21:32:22 UTC 2016
On 05-Dec 15:14, Lance Bragstad wrote:
> I put myself in Boris' camp on this one. This can open up the opportunity
> for negative user-experience, purely based on where I authenticate and
> which token I happen to authenticate with. A token would no longer be
> something I can assume to be properly validated against any node in my
> deployment. Now, when I receive a 401 Unauthorized, is it because the token
> is actually invalid, did I use the wrong endpoint, or did I use a token
> with the wrong scope for the endpoint I wanted to interact with?
I agree. I think having different behavior for tokens based on scope
will not only lead to bad user experiences, but will lead to baking in
those rules into the client. Someone will propose this as soon as they
get confused by the token 401ing unexpectedly.
More information about the OpenStack-dev