Comment 36 for bug 1434034

Revision history for this message
Guang Yee (guang-yee) wrote : Re: Even if the user is disabled, can use the last token is validated

For PKI(Z) tokens, if we update the revocation events or TRLs whenever a user is disabled, middleware token validation logic would still take that into consideration, though there could still be a small gap between when it actually update its local revocation events and the event actually occurred at the server side. Also, older releases only support token revocation list, not revocation events.

Morgan's right about external IdPs, it would be difficult for Keystone to know when the user was actually disabled. Or whether a user was disabled in real time or on a scheduled update. Keystone have absolutely no control over that.

We only have control over local identities. Though for LDAP identities, we also have a locally mapping table so in theory we can disable LDAP users locally with minimal code changes.

To me, security is about risk management. And this is no different then assessing the risk associated with caching the token validation results (i.e. memcache) at auth_token middleware. If there's a highly sensitive deployment out there which request real time token invalidation, then use locally managed identities and no caching. Also, calibrate the token TTL according to your risk tolerance.