Tokens in OpenStack Identity API v2.0 Reference  - API v2.0 and extensions

So, I'm trying to triage this, and found that memcached token backends can't actually delete the token.
https://bugs.launchpad.net/keystone/+bug/1290293

And, token deletion was considered an undocumented feature, since revoking tokens is really in the realm of administrators. However, the openstackclient does support it: https://review.openstack.org/#/c/95208/

I think we should document this call for completeness but there should be clarity on who can revoke (only the current user can revoke their own token? Can only an admin revoke a token?) Plus with the memcache backend issue, does it really "work?"

If you're using memcache you should be able to invalidate tokens. That bug is a bug and not expected behavior. The issue is the way that keystone stores the revocation list when using memcache -- it tries to store the entire list and eventually it gets too long for memache.

Token revocations work fine with other backends. Also, we're working on revocation events which is an alternative implementation that might not have this problem.

Revoking tokens should be documented as part of the API. Applications expect it for security reasons.

+1 for everything Brant said.

DELETE http://keystone:35357/v2.0/tokens/{token_id} is definitely a supported call (it was just never included in the original spec), but only for the admin API in v2 (it's never been exposed to the service API on :5000 as far as I know). Prior to v3, there were several requests to add the same call to the "service" API (allowing users to delete their own tokens), which is effectively analogous to a user logging themselves out.

Identity API v3 adds documented support for a similar call (DELETE /v3/auth/tokens):

  https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#revoke-token

And Identity API v3 does not distinguish between user-facing and admin-facing calls (instead, leaving that determination up to policy enforcement). The default policy in keystone for the v3 call allows for "admin or owner" to revoke a token, but given that tokens are bearer tokens, if you possess a token, you can also revoke it.

Fix proposed to branch: master
Review: https://review.openstack.org/236744

Reviewed: https://review.openstack.org/236744
Committed: https://git.openstack.org/cgit/openstack/api-site/commit/?id=f975b99fbcab682360d3674cfc1b01beb24685de
Submitter: Jenkins
Branch: master

commit f975b99fbcab682360d3674cfc1b01beb24685de
Author: Diane Fleming <email address hidden>
Date: Sun Oct 18 16:36:34 2015 -0500

    Add Identity v2.0 DELETE token call

    Change-Id: I455045f82e61100a9ba5058af8fb422963f8d331
    Closes-Bug: #1331790