[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.
Adam Young
ayoung at redhat.com
Mon Jul 7 03:03:20 UTC 2014
Probably should not have posted this over a weekend, especially a Long
weekend.
On 07/04/2014 06:13 PM, Adam Young wrote:
> Unscoped tokens are really a proxy for the Horizon session, so lets
> treat them that way.
>
>
> 1. When a user authenticates unscoped, they should get back a list of
> their projects:
>
> some thing along the lines of:
>
> domains [{ name = d1,
> projects [ p1, p2, p3]},
> { name = d2,
> projects [ p4, p5, p6]}]
>
> Not the service catalog. These are not in the token, only in the
> response body.
>
>
> 2. Unscoped tokens are only initially via HTTPS and require client
> certificate validation or Kerberos authentication from Horizon.
> Unscoped tokens are only usable from the same origin as they were
> originally requested.
>
>
> 3. Unscoped tokens should be very short lived: 10 minutes. Unscoped
> tokens should be infinitely extensible: If I hand an unscoped token
> to keystone, I get one good for another 10 minutes.
>
>
> 4. Unscoped tokens are only accepted in Keystone. They can only be
> used to get a scoped token. Only unscoped tokens can be used to get
> another token.
>
>
> Comments?
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list