Probably should not have posted this over a weekend, especially a Long
weekend.
On 07/04/2014 06:13 PM, Adam Young wrote:
Unscoped tokens are really a proxy for the Horizon session, so lets
treat them that way.
1. When a user authenticates unscoped, they should get back a list of
their projects:
some thing along the lines of:
domains [{ name = d1,
projects [ p1, p2, p3]},
{ name = d2,
projects [ p4, p5, p6]}]
Not the service catalog. These are not in the token, only in the
response body.
2. Unscoped tokens are only initially via HTTPS and require client
certificate validation or Kerberos authentication from Horizon.
Unscoped tokens are only usable from the same origin as they were
originally requested.
3. Unscoped tokens should be very short lived: 10 minutes. Unscoped
tokens should be infinitely extensible: If I hand an unscoped token
to keystone, I get one good for another 10 minutes.
4. Unscoped tokens are only accepted in Keystone. They can only be
used to get a scoped token. Only unscoped tokens can be used to get
another token.
Comments?
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
