On Fri, Jul 04, 2014 at 06:13:30PM -0400, Adam Young wrote:
> Unscoped tokens are really a proxy for the Horizon session, so lets
> treat them that way.
>
>
> 1. When a user authenticates unscoped, they should get back a list
> of their projects:
>
> some thing along the lines of:
>
> domains [{ name = d1,
> projects [ p1, p2, p3]},
> { name = d2,
> projects [ p4, p5, p6]}]
>
> Not the service catalog. These are not in the token, only in the
> response body.
>
>
> 2. Unscoped tokens are only initially via HTTPS and require client
> certificate validation or Kerberos authentication from Horizon.
> Unscoped tokens are only usable from the same origin as they were
> originally requested.
>
>
> 3. Unscoped tokens should be very short lived: 10 minutes.
> Unscoped tokens should be infinitely extensible: If I hand an
> unscoped token to keystone, I get one good for another 10 minutes.
> Using this time limit horizon should extend all the unscoped token every x min (with x< 10). Is this useful or could be long lived but revocable by Keystone? In this case, after the unscoped token is revoked it cannot be used to get a scoped token. > > 4. Unscoped tokens are only accepted in Keystone. They can only be > used to get a scoped token. Only unscoped tokens can be used to get > another token. > > > Comments? > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- ==================================================== Eng. Marco Fargetta, PhD Istituto Nazionale di Fisica Nucleare (INFN) Catania, Italy EMail: [email protected] ====================================================
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
