[openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

Adam Young ayoung at redhat.com
Tue Mar 17 13:57:14 UTC 2015

On 03/17/2015 03:30 AM, David Chadwick wrote:
> Encryption per se does not decrease token size, the best it can do is
> keep the token size the same size. So using Fernet tokens will not on
> its own alter the token size.

Fernet is striking a blanace.  It is encruypting a subset of the data.  
Not the whole payload of the PKI tokens.  They are under 500 Bytes, with 
a target of getting them under 255 bytes.  Only Federation tokens should 
be larger than 255 bytes.

>   Reducing the size must come from putting
> less information in the token. If the token recipient has to always go
> back to Keystone to get the token validated, then all the token needs to
> be is a large random number that Keystone can look up in its database to
> retrieve the user's permissions. In this case no encryption is needed at
> all.
The Fernet goal is to remove that database.  Instead, the data 
associated with the token will be assembeld at verification time from 
the small subset in the fernet token body and the data stored in the 
Keystone server.

More information about the OpenStack-dev mailing list