[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.
Marco Fargetta
Marco.Fargetta at ct.infn.it
Mon Jul 7 09:39:37 UTC 2014
On Fri, Jul 04, 2014 at 06:13:30PM -0400, Adam Young wrote:
> Unscoped tokens are really a proxy for the Horizon session, so lets
> treat them that way.
>
>
> 1. When a user authenticates unscoped, they should get back a list
> of their projects:
>
> some thing along the lines of:
>
> domains [{ name = d1,
> projects [ p1, p2, p3]},
> { name = d2,
> projects [ p4, p5, p6]}]
>
> Not the service catalog. These are not in the token, only in the
> response body.
>
>
> 2. Unscoped tokens are only initially via HTTPS and require client
> certificate validation or Kerberos authentication from Horizon.
> Unscoped tokens are only usable from the same origin as they were
> originally requested.
>
>
> 3. Unscoped tokens should be very short lived: 10 minutes.
> Unscoped tokens should be infinitely extensible: If I hand an
> unscoped token to keystone, I get one good for another 10 minutes.
>
Using this time limit horizon should extend all the unscoped token
every x min (with x< 10). Is this useful or could be long lived but
revocable by Keystone? In this case, after the unscoped token is
revoked it cannot be used to get a scoped token.
>
> 4. Unscoped tokens are only accepted in Keystone. They can only be
> used to get a scoped token. Only unscoped tokens can be used to get
> another token.
>
>
> Comments?
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
====================================================
Eng. Marco Fargetta, PhD
Istituto Nazionale di Fisica Nucleare (INFN)
Catania, Italy
EMail: Marco.Fargetta at ct.infn.it
====================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5483 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140707/034c8f84/attachment.bin>
More information about the OpenStack-dev
mailing list