V3 Identity API: No documented purpose for unscoped tokens
Bug #1214570 reported by
justinsb
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openstack-api-site |
Invalid
|
Undecided
|
Dolph Mathews | ||
Bug Description
The V3 Identity API does not document a purpose for unscoped tokens (vs domain tokens).
This causes confusion, see e.g. Bug #1208640, Bug #1208639.
| Changed in keystone: | |
| status: | New → Confirmed |
Revision history for this message
| Adam Young (ayoung) wrote | #1 |
| affects: | keystone → openstack-api-site |
| tags: | added: identity-api |
| Changed in openstack-api-site: | |
| assignee: | nobody → Dolph Mathews (dolph) |
Revision history for this message
| Dolph Mathews (dolph) wrote | #2 |
| Changed in openstack-api-site: | |
| status: | Confirmed → Invalid |
To post a comment you must log in.
This is probably optimized for Horizon, where they need to get a token from just userid and password, but want to have it linked to a project if possible in order to avoid doing multiple calls to keystone:
But Horizon needs to do multiple calls anyway. Probably what should haoppen is that if a user requests a token without explicit scope, they should get an unscoped token and a list of their projects, and optionally domains for which they have roles as well as a default project id. Then, Horizon or other UIs could chose to get a scoped token for the default project, or let the user select a project at that point.
Once we can do that, we have a cleaner way to do token reissue. tokens should only be reissued for the same or smaller scope. An unscoped token could get a token scoped to project or domain. Domain can only get other domain scoped tokens with fewer roles.