[Openstack] State of OpenStack Auth

Jorge Williams jorge.williams at rackspace.com
Fri Mar 4 00:11:46 UTC 2011

On Mar 3, 2011, at 5:45 PM, Chuck Thier wrote:

> The problem with this logic is that you are optimizing wrong.  In a token based auth system, the tokens are valid generally for a period of time (24 hours normally with Rackspace auth), and it is a best practice to cache this.  Saying that you are reducing HTTP requests for 1 request that has to happen every 24 hours isn't saving you that much.
> But back to the auth questions in general, I would like to comment on a couple of things that have come up:
> 1.  Basic Auth - I'm not fond of this mainly because auth credentials (identification and secret) are sent, and have to be verified on every single request.  This also means that every endpoint is going to be handling the users' secrets for every request.  I think there is good precedent with no major service providers using basic auth (even including twitter moving away from basic auth, to OAuth)

We could do something like digest that is also easy to use and has really good  support.

> 2. Signed vs. Token based auth - Why not support both?  It isn't that complex.  It is also interesting that OAuth v1 was signature based, while OAuth v2 has moved to a token based auth system, so there is broad support in the general community for both methods.

We're not going to avoid OAuth -- that's something that we're going to eventually have to support because delegation is such a compelling use case.  Both OAuth v1 and v2 were token based if I recall correctly.  V2 dropped the requirement that everything be signed -- a really good move in my opinion.  You're right in that signatures are not *that* complicated, but they do  raise the barrier of entry to an API.  There are also a lot of subtleties associated with them --  Cn14 comes to mind (http://en.wikipedia.org/wiki/XML_Signature#XML_Canonicalization), I believe there is a  similar problem with JSON(?)  I also potentially see performance issues. Just speaking as someone who's had to maintain day to day an API, I can already feel the headaches.  If signed request were optional, as they are in OAuth 2, I would vote to not use them and just secure everything with SSL.

-jOrGe W.

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.

More information about the Openstack mailing list