ttx: using UUID tokens implicitly enables online verification. A PKI token will attempt to be verified offline.
So to require online verification, you can have keystone start issuing UUID tokens:
token_format = UUID
+1 for impact description.
Adam: in folsom, the following code exposes the specific reason for auth failure back to the client:
+ raise exceptions.Unauthorized(
+ 'Token does not belong to specified tenant.')
In grizzly, the details of the failure are suppressed unless you're running in debug mode (so this code would be fine in grizzly). For the folsom patch, this needs to be simplified a bit:
ttx: using UUID tokens implicitly enables online verification. A PKI token will attempt to be verified offline.
So to require online verification, you can have keystone start issuing UUID tokens:
token_format = UUID
+1 for impact description.
Adam: in folsom, the following code exposes the specific reason for auth failure back to the client:
+ raise exceptions. Unauthorized(
+ 'Token does not belong to specified tenant.')
In grizzly, the details of the failure are suppressed unless you're running in debug mode (so this code would be fine in grizzly). For the folsom patch, this needs to be simplified a bit:
+ raise exceptions. Unauthorized( )