[openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

Tripp, Travis S travis.tripp at hpe.com
Thu Jul 7 15:49:18 UTC 2016


By caching, do you mean not persisting it in local storage or a cookie?  Would it be okay to store in a variable in browser memory for the duration of the session to be used with subsequent API requests?

Thanks,
Travis

On 7/6/16, 6:36 PM, "David Stanek" <dstanek at dstanek.com> wrote:

On 07/01 at 19:41, Fox, Kevin M wrote:
> Hi David,
> 
> How do you feel about the approach here:
> https://review.openstack.org/#/c/311189/
> 
> Its lets the existing angular js module:
> horizon.app.core.openstack-service-api.keystone
> 
> access the current token via getCurrentUserSession().token
> 

Hey Kevin,

It's hard to tell without a lot of the context. From what I can tell the
token is pulled down as part of the data of an API request. As long as
that's not cached I think you are OK.

-- 
David Stanek
web: http://dstanek.com
blog: http://traceback.org

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list