On Fri, Jul 04, 2014 at 06:13:30PM -0400, Adam Young wrote: > Unscoped tokens are really a proxy for the Horizon session, so lets > treat them that way. > > > 1. When a user authenticates unscoped, they should get back a list > of their projects: > > some thing along the lines of: > > domains [{ name = d1, > projects [ p1, p2, p3]}, > { name = d2, > projects [ p4, p5, p6]}] > > Not the service catalog. These are not in the token, only in the > response body. > > > 2. Unscoped tokens are only initially via HTTPS and require client > certificate validation or Kerberos authentication from Horizon. > Unscoped tokens are only usable from the same origin as they were > originally requested. > > > 3. Unscoped tokens should be very short lived: 10 minutes. > Unscoped tokens should be infinitely extensible: If I hand an > unscoped token to keystone, I get one good for another 10 minutes. >
Using this time limit horizon should extend all the unscoped token every x min (with x< 10). Is this useful or could be long lived but revocable by Keystone? In this case, after the unscoped token is revoked it cannot be used to get a scoped token. > > 4. Unscoped tokens are only accepted in Keystone. They can only be > used to get a scoped token. Only unscoped tokens can be used to get > another token. > > > Comments? > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- ==================================================== Eng. Marco Fargetta, PhD Istituto Nazionale di Fisica Nucleare (INFN) Catania, Italy EMail: marco.farge...@ct.infn.it ====================================================
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev