[openstack-dev] [keystone][monasca][congress][senlin][telemetry] authenticated webhook notifications

Eric K ekcs.openstack at gmail.com
Tue May 8 19:47:27 UTC 2018


To clarify, one of the reasons I'd like to accept webhook notifications
authenticated with keystone tokens is that I don't want the access to
expire, but of course it's poor practice to use a signed URL that never
expires.

Eric

On 5/8/18, 12:29 PM, "Eric K" <ekcs.openstack at gmail.com> wrote:

>Thanks, Thomas!
>
>I see the point that it is impractical to configure a service with a fixed
>keystone token to use in webhook notifications because they expire fairly
>quickly.
>
>I'm thinking about the situation where the sending service can obtain
>tokens directly from keystone. In that case I'm guessing the main reason
>it hasn't been done that way is because it does not generalize to most
>other services that don't connect to keystone?
>
>On 5/6/18, 9:30 AM, "Thomas Herve" <therve at redhat.com> wrote:
>
>>On Sat, May 5, 2018 at 1:53 AM, Eric K <ekcs.openstack at gmail.com> wrote:
>>> Thanks a lot Witold and Thomas!
>>>
>>> So it doesn't seem that someone is currently using a keystone token to
>>> authenticate web hook? Is is simply because most of the use cases had
>>> involved services which do not use keystone?
>>>
>>> Or is it unsuitable for another reason?
>>
>>It's fairly impractical for webhooks because
>>
>>1) Tokens expire fairly quickly.
>>2) You can't store all the data in the URL, so you need to store the
>>token and the URL separately.
>>
>>-- 
>>Thomas
>>
>>_________________________________________________________________________
>>_
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: 
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>





More information about the OpenStack-dev mailing list