[openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client
David Stanek
dstanek at dstanek.com
Thu Jul 7 00:36:42 UTC 2016
On 07/01 at 19:41, Fox, Kevin M wrote:
> Hi David,
>
> How do you feel about the approach here:
> https://review.openstack.org/#/c/311189/
>
> Its lets the existing angular js module:
> horizon.app.core.openstack-service-api.keystone
>
> access the current token via getCurrentUserSession().token
>
Hey Kevin,
It's hard to tell without a lot of the context. From what I can tell the
token is pulled down as part of the data of an API request. As long as
that's not cached I think you are OK.
--
David Stanek
web: http://dstanek.com
blog: http://traceback.org
More information about the OpenStack-dev
mailing list