[openstack-dev] [Keystone] V3 auth API design input
Adam Young
ayoung at redhat.com
Wed Jan 23 21:14:27 UTC 2013
Tokens are not where we want Keystone to be long term. Since they are
bearer tokens, they are susceptible to relay attacks. Thus, I don't
want the authentication process bound to only producing tokens.
If we do /v3/authn/tokens as the API for creating new tokens, we can do
/v3/authn/X509 or something else in the future.
Also, the token format should be nailed down, and simplified from the
artifacts that the current tokens contain. We need to remove the term
metadata from usage, and instead talk in terms of the contents of the
token itself.
Here's a strawman.
{
user : { id, other user specific attributes },
domain : {id},
project : { roles [role ids]},
auth_mechanisms[],
services:[
compute: [https://nova/endpoint],
identity: [https://keystone/endpoint],
...
]
}
More information about the OpenStack-dev
mailing list