© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
For anyone who tries to tackle this in the future, @rodrigods, @raildo, @tellesnobrega and I gave it a try and this is where we got:
As discussed on #keystone, this seems to be fairly easy to solve for UUID tokens, and should be done on the server (keystone), as indicated by @ayoung.
For PKI tokens, however, we might still need to do some more work elsewhere. The validation step in keystonemiddleware doesn't have access to the entire token, just its id, and the same approach of simply double checking a token's IdP against the list of valid IdPs won't work.
There is an ongoing discussion about things that might help, with mentions to revocation events, decreasing the lifespan of tokens and fixing up mappings between IdP and domains. Whoever solves this should watch out for these changes and figure out another approach!