This is the issue with LDAP / Read-Only backends *and* a secondary issue with default middleware behavior:
===== Read-Only Backend ======
We don't know a user was disabled. We should check this when live-validating a token. PKI(Z) nothing we can do. The request to do a .user_is_enabled check is not unreasonable (for Federated users we obviously can't do this, but that is a separate concern wrt to the notification from IDP on user disable, this is an expected gap that we should be addressing in Liberty).
===== Keystonemiddleware w/o TRL checking (default) =====
KSM caches for ~300s, we will keep tokens valid once they've been validated. TRL is a PKI-ism, and can (is?) disabled by default with UUID since we don't have signing infrastructure.
@Adam,
This is the issue with LDAP / Read-Only backends *and* a secondary issue with default middleware behavior:
===== Read-Only Backend ======
We don't know a user was disabled. We should check this when live-validating a token. PKI(Z) nothing we can do. The request to do a .user_is_enabled check is not unreasonable (for Federated users we obviously can't do this, but that is a separate concern wrt to the notification from IDP on user disable, this is an expected gap that we should be addressing in Liberty).
===== Keystonemiddleware w/o TRL checking (default) =====
KSM caches for ~300s, we will keep tokens valid once they've been validated. TRL is a PKI-ism, and can (is?) disabled by default with UUID since we don't have signing infrastructure.