[openstack-dev] [keystone][monasca][congress][senlin][telemetry] authenticated webhook notifications

Eric K ekcs.openstack at gmail.com
Tue May 8 19:47:27 UTC 2018

To clarify, one of the reasons I'd like to accept webhook notifications
authenticated with keystone tokens is that I don't want the access to
expire, but of course it's poor practice to use a signed URL that never


On 5/8/18, 12:29 PM, "Eric K" <ekcs.openstack at gmail.com> wrote:

>Thanks, Thomas!
>I see the point that it is impractical to configure a service with a fixed
>keystone token to use in webhook notifications because they expire fairly
>I'm thinking about the situation where the sending service can obtain
>tokens directly from keystone. In that case I'm guessing the main reason
>it hasn't been done that way is because it does not generalize to most
>other services that don't connect to keystone?
>On 5/6/18, 9:30 AM, "Thomas Herve" <therve at redhat.com> wrote:
>>On Sat, May 5, 2018 at 1:53 AM, Eric K <ekcs.openstack at gmail.com> wrote:
>>> Thanks a lot Witold and Thomas!
>>> So it doesn't seem that someone is currently using a keystone token to
>>> authenticate web hook? Is is simply because most of the use cases had
>>> involved services which do not use keystone?
>>> Or is it unsuitable for another reason?
>>It's fairly impractical for webhooks because
>>1) Tokens expire fairly quickly.
>>2) You can't store all the data in the URL, so you need to store the
>>token and the URL separately.
>>OpenStack Development Mailing List (not for usage questions)
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list