[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.

Adam Young ayoung at redhat.com
Mon Jul 7 03:03:20 UTC 2014


Probably should not have posted this over a weekend, especially a Long 
weekend.


On 07/04/2014 06:13 PM, Adam Young wrote:
> Unscoped tokens are really a proxy for the Horizon session, so lets 
> treat them that way.
>
>
> 1.  When a user authenticates unscoped, they should get back a list of 
> their projects:
>
> some thing along the lines of:
>
> domains [{   name = d1,
>                  projects [ p1, p2, p3]},
>                {   name = d2,
>                  projects [ p4, p5, p6]}]
>
> Not the service catalog.  These are not in the token, only in the 
> response body.
>
>
> 2.  Unscoped tokens are only initially via HTTPS and require client 
> certificate validation or Kerberos authentication from Horizon. 
> Unscoped tokens are only usable from the same origin as they were 
> originally requested.
>
>
> 3.  Unscoped tokens should be very short lived:  10 minutes. Unscoped 
> tokens should be infinitely extensible:   If I hand an unscoped token 
> to keystone, I get one good for another 10 minutes.
>
>
> 4.  Unscoped tokens are only accepted in Keystone.  They can only be 
> used to get a scoped token.  Only unscoped tokens can be used to get 
> another token.
>
>
> Comments?
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list