I think this is going to come down to a decision to be made by the deployer - do I use token caching and for how long?
Secure deployments will likely not use caching, deployments with moderate requirements might want to use a shorter cache life and isolated or low risk clouds may even use longer life caches.
Personally I think there's good grounds here for not only an OSSN but also an entry in the OpenStack Security Guide, discussing the tradeoff and possible compensating controls/procedures.
Very good points raised here.
I think this is going to come down to a decision to be made by the deployer - do I use token caching and for how long?
Secure deployments will likely not use caching, deployments with moderate requirements might want to use a shorter cache life and isolated or low risk clouds may even use longer life caches.
Personally I think there's good grounds here for not only an OSSN but also an entry in the OpenStack Security Guide, discussing the tradeoff and possible compensating controls/ procedures.