The token itself is still expired, regardless of where it's persisted, if at all. Expired tokens are only considered valid when presented as an X-Auth-Token to keystonemiddleware.auth_token along with a valid X-Service-Token, or when validating an X-Subject-Token against keystone directly using either:
HEAD /v3/auth/token?allow_expired GET /v3/auth/token?allow_expired No configuration is required in keystone.conf to enable the feature. More documentation is available in the release notes [1][2] and in the sample configuration file [3] (see [token] allow_expired_window). [1] https://docs.openstack.org/releasenotes/keystone/ocata.html#new-features [2] https://docs.openstack.org/releasenotes/keystone/ocata.html#upgrade-notes [3] https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn <tuantulu...@gmail.com> wrote: > Hi Dolph, > > Thanks for reply, it means that from the db point of view, token is > expired but it is still passed to other service users in request (token > stored in memory?) and keystone allows this expired token? And to make this > feature working, we should apply the header of "X-Service-Token" and change > of "allow_expired" in keystone.conf. > > Br, > > Tuan/Nokia > > On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <dolph.math...@gmail.com> > wrote: > > > does it mean that the token now will live forever > > No; it behaves as described in the document you linked. If you have any > specific security concerns, please raise them appropriately (such as a > security bug, if necessary). > > On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <tuantulu...@gmail.com> > wrote: > > Hi keystone folks, > > I have had a chance to take a look to this below patch for allowing the > expired token and it was merged in Octaka: > > > https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html > > In our project, we also have problem with token expiration when running > mistral workflow. I have a concern that if this patch works as it does, > does it mean that the token now will live forever ("forever" seems so > sloppy, but it seems like the token is no longer expired). In this case, it > seems not good for security purpose. > > Br, > > Tuan/Nokia > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- > -Dolph > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev