[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.
Marco Fargetta
Marco.Fargetta at ct.infn.it
Mon Jul 7 14:33:37 UTC 2014
> >>3. Unscoped tokens should be very short lived: 10 minutes.
> >>Unscoped tokens should be infinitely extensible: If I hand an
> >>unscoped token to keystone, I get one good for another 10 minutes.
> >>
> >Using this time limit horizon should extend all the unscoped token
> >every x min (with x< 10). Is this useful or could be long lived but
> >revocable by Keystone? In this case, after the unscoped token is
> >revoked it cannot be used to get a scoped token.
> Close. I was thinking more along the lines of Horizon looking at
> the unscoped token and, if it is about to expire, exchanging one
> unscoped token for another. The unscoped tokens would have a short
> time-to-live (10 minutes) and any scoped tokens they create would
> have the same time span: we could in theory make the unscoped last
> longer, but I don't really think it would be necessary.
>
When should Horizon check the token validity? If it depends from external
events, like user interactions, I think the time-frame should be similar to the
user session to avoid the need of authenticate users many times inside the session.
If you use an external thread to renew the token then they could be shorter but
this would generate some traffic to evaluate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5483 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140707/3363d58a/attachment.bin>
More information about the OpenStack-dev
mailing list