© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> I hope that makes more sense now.
Yes it does!
> a domain-scoped token has the same use-cases as a token scoped to _no_ project
The only use case we support for unscoped tokens is that of authentication. Multifactor auth can be achieved by passing unscoped tokens back and forth before finally trading an unscoped token for one with authorization on a specific project or domain.
If you're going to argue that domain-scoped tokens support the same use case, you have to limit the conversation to domain-scoped tokens that have no roles, and therefore express no authorization over the referenced domain. At that point, the domain-scope is completely meaningless, and might as well be dropped.
> almost impossible to get an unscoped token in V3
Opinion.
> given the huge cost
Is there some context to this that I'm missing? What's the "huge cost?"