<div dir="ltr">Hi Dolph,<div><br></div><div>Thanks for reply, it means that from the db point of view, token is expired but it is still passed to other service users in request (token stored in memory?) and keystone allows this expired token? And to make this feature working, we should apply the header of "X-Service-Token" and change of "allow_expired" in keystone.conf.<br><br>Br,</div><div><br></div><div>Tuan/Nokia</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <span dir="ltr"><<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class=""><div><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px">> </span><span style="color:rgb(33,33,33)">does it mean that the token now will live forever</span></div><div><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px"><br></span></div></span><div><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px">No; it behaves as described in the document you linked. If you have any specific security concerns, please raise them appropriately (such as a security bug, if necessary).</span></div></div><br><div class="gmail_quote"><div><div class="h5"><div dir="ltr">On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <<a href="mailto:tuantuluong@gmail.com" target="_blank">tuantuluong@gmail.com</a>> wrote:<br></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr" class="m_6211678702564853496gmail_msg">Hi keystone folks,<div class="m_6211678702564853496gmail_msg"><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg">I have had a chance to take a look to this below patch for allowing the expired token and it was merged in Octaka:</div><div class="m_6211678702564853496gmail_msg"><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg"><a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html" class="m_6211678702564853496gmail_msg" target="_blank">https://specs.openstack.org/<wbr>openstack/keystone-specs/<wbr>specs/keystone/ocata/allow-<wbr>expired.html</a><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg"><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg">In our project, we also have problem with token expiration when running mistral workflow. I have a concern that if this patch works as it does, does it mean that the token now will live forever ("forever" seems so sloppy, but it seems like the token is no longer expired). In this case, it seems not good for security purpose.</div><div class="m_6211678702564853496gmail_msg"><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg">Br,</div><div class="m_6211678702564853496gmail_msg"><br class="m_6211678702564853496gmail_msg"></div><div class="m_6211678702564853496gmail_msg">Tuan/Nokia</div></div></div></div>
______________________________<wbr>______________________________<wbr>______________<br class="m_6211678702564853496gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_6211678702564853496gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_6211678702564853496gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="m_6211678702564853496gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_6211678702564853496gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><span class="HOEnZb"><font color="#888888"><br class="m_6211678702564853496gmail_msg">
</font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">-Dolph</div></div>
</font></span><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div>