Open Stack

The token itself is still expired, regardless of where it's persisted, if
at all. Expired tokens are only considered valid when presented as an
X-Auth-Token to keystonemiddleware.auth_token along with a valid
X-Service-Token, or when validating an X-Subject-Token against keystone
directly using either:

  HEAD /v3/auth/token?allow_expired
  GET /v3/auth/token?allow_expired

No configuration is required in keystone.conf to enable the feature.

More documentation is available in the release notes [1][2] and in the
sample configuration file [3] (see [token] allow_expired_window).

[1] https://docs.openstack.org/releasenotes/keystone/ocata.html#new-features
[2]
https://docs.openstack.org/releasenotes/keystone/ocata.html#upgrade-notes
[3]
https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html

On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn <tuantuluong at gmail.com> wrote:

> Hi Dolph,
>
> Thanks for reply, it means that from the db point of view, token is
> expired but it is still passed to other service users in request (token
> stored in memory?) and keystone allows this expired token? And to make this
> feature working, we should apply the header of "X-Service-Token" and change
> of "allow_expired" in keystone.conf.
>
> Br,
>
> Tuan/Nokia
>
> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <dolph.mathews at gmail.com>
> wrote:
>
> > does it mean that the token now will live forever
>
> No; it behaves as described in the document you linked. If you have any
> specific security concerns, please raise them appropriately (such as a
> security bug, if necessary).
>
> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <tuantuluong at gmail.com>
> wrote:
>
> Hi keystone folks,
>
> I have had a chance to take a look to this below patch for allowing the
> expired token and it was merged in Octaka:
>
>
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html
>
> In our project, we also have problem with token expiration when running
> mistral workflow. I have a concern that if this patch works as it does,
> does it mean that the token now will live forever ("forever" seems so
> sloppy, but it seems like the token is no longer expired). In this case, it
> seems not good for security purpose.
>
> Br,
>
> Tuan/Nokia
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> --
> -Dolph
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170410/12054438/attachment.html>