[openstack-dev] [all][keystone][product] api keys/application specific passwords

Zane Bitter zbitter at redhat.com
Wed May 17 00:08:23 UTC 2017

On 16/05/17 01:06, Colleen Murphy wrote:
> Additionally, I think OAuth - either extending the existing OAuth1.0
> plugin or implementing OAuth2.0 - should probably be on the table.

I believe that OAuth is not a good fit for long-lived things like an 
application needing to communicate with its own infrastructure. Tokens 
are (a) tied to a user, and (b) expire, neither of which we want. Any 
use case where you can't just drop the user into a web browser and ask 
for their password at any time seem to be, at a minimum, excruciatingly 
painful and often impossible with OAuth, because that is the use case it 
was designed for.


More information about the OpenStack-dev mailing list