> >>3. Unscoped tokens should be very short lived: 10 minutes. > >>Unscoped tokens should be infinitely extensible: If I hand an > >>unscoped token to keystone, I get one good for another 10 minutes. > >> > >Using this time limit horizon should extend all the unscoped token > >every x min (with x< 10). Is this useful or could be long lived but > >revocable by Keystone? In this case, after the unscoped token is > >revoked it cannot be used to get a scoped token. > Close. I was thinking more along the lines of Horizon looking at > the unscoped token and, if it is about to expire, exchanging one > unscoped token for another. The unscoped tokens would have a short > time-to-live (10 minutes) and any scoped tokens they create would > have the same time span: we could in theory make the unscoped last > longer, but I don't really think it would be necessary. >
When should Horizon check the token validity? If it depends from external events, like user interactions, I think the time-frame should be similar to the user session to avoid the need of authenticate users many times inside the session. If you use an external thread to renew the token then they could be shorter but this would generate some traffic to evaluate.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
