[openstack-dev] [Keystone][Horizon] Proposed Changed for Unscoped tokens.

Adam Young ayoung at redhat.com
Mon Jul 7 14:42:29 UTC 2014 

On 07/07/2014 10:33 AM, Marco Fargetta wrote:
>>>> 3.  Unscoped tokens should be very short lived:  10 minutes.
>>>> Unscoped tokens should be infinitely extensible:   If I hand an
>>>> unscoped token to keystone, I get one good for another 10 minutes.
>>>>
>>> Using this time limit horizon should extend all the unscoped token
>>> every x min (with x< 10). Is this useful or could be long lived but
>>> revocable by Keystone? In this case, after the unscoped token is
>>> revoked it cannot be used to get a scoped token.
>> Close. I was thinking more along the lines of  Horizon looking at
>> the unscoped token and, if it is about to expire, exchanging one
>> unscoped token for another.  The unscoped tokens would have a short
>> time-to-live (10 minutes) and any scoped tokens they create would
>> have the same time span:  we could in theory make the unscoped last
>> longer, but I don't really think it would be necessary.
>>
>
> When should Horizon check the token validity? If it depends from external
> events, like user interactions, I think the time-frame should be similar to the
> user session to avoid the need of authenticate users many times inside the session.
>
> If you use an external thread to renew the token then they could be shorter but
> this would generate some traffic to evaluate.

The session token would be saved in the users HTTP session cookie. When 
a user interacts with Horizon, django-openstack-auth would check for the 
presence of  the session cookie, and, if the cookie is about to expire, 
extend it.

It does mean that the Horizon web app can only perform operations when 
actively initiated by the user, otherwise the session will be 
automatically extended forever if the user justs sits on the page. Using 
an ajax approach with automatically timed refreshes,  could potentially 
lead to this, but it is not the case now.

   The threshold to refresh should  be fairly close to session time 
out:  If the session times out in 20 minutes, don't refresh every 30 
seconds.  If the token duration is 10 minutes, and the user triggers a 
Horizon request at 9 minutes and 30 seconds, django-openstack-auth can 
refresh the token:  a 30 second window is reasonable.
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140707/8eba54fe/attachment.html>

More information about the OpenStack-dev mailing list