[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.

Adam Young ayoung at redhat.com
Mon Jul 7 13:24:39 UTC 2014 

On 07/07/2014 05:39 AM, Marco Fargetta wrote:
> On Fri, Jul 04, 2014 at 06:13:30PM -0400, Adam Young wrote:
>> Unscoped tokens are really a proxy for the Horizon session, so lets
>> treat them that way.
>>
>>
>> 1.  When a user authenticates unscoped, they should get back a list
>> of their projects:
>>
>> some thing along the lines of:
>>
>> domains [{   name = d1,
>>                   projects [ p1, p2, p3]},
>>                 {   name = d2,
>>                   projects [ p4, p5, p6]}]
>>
>> Not the service catalog.  These are not in the token, only in the
>> response body.
>>
>>
>> 2.  Unscoped tokens are only initially via HTTPS and require client
>> certificate validation or Kerberos authentication from Horizon.
>> Unscoped tokens are only usable from the same origin as they were
>> originally requested.
>>
>>
>> 3.  Unscoped tokens should be very short lived:  10 minutes.
>> Unscoped tokens should be infinitely extensible:   If I hand an
>> unscoped token to keystone, I get one good for another 10 minutes.
>>
> Using this time limit horizon should extend all the unscoped token
> every x min (with x< 10). Is this useful or could be long lived but
> revocable by Keystone? In this case, after the unscoped token is
> revoked it cannot be used to get a scoped token.
Close. I was thinking more along the lines of  Horizon looking at the 
unscoped token and, if it is about to expire, exchanging one unscoped 
token for another.  The unscoped tokens would have a short time-to-live 
(10 minutes) and any scoped tokens they create would have the same time 
span:  we could in theory make the unscoped last longer, but I don't 
really think it would be necessary.

>
>
>
>
>> 4.  Unscoped tokens are only accepted in Keystone.  They can only be
>> used to get a scoped token.  Only unscoped tokens can be used to get
>> another token.
>>
>>
>> Comments?
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140707/f3fa3525/attachment.html>

More information about the OpenStack-dev mailing list