Bind the Tokens to a secure authentication mechanism

Registered by Adam Young

IN order to make tokens non-bearer tokens, we need to provide a way to ensure that only the user issued the token can use it. The simplest way to do that is to use an X509 client certificate and bind to the channel. The tokens can then embed a unique identifier for the certificate.

Kerberos will work as well. In that case, the token is bound to the Principal.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
Jamie Lennox
Definition:
Review
Series goal:
None
Implementation:
Implemented
Milestone target:
milestone icon 2013.2
Started by
Jamie Lennox
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Work is underway. Please add concerns/suggestions.

Is the Unique Identifier for the certificate the DN?

At the moment i am not setting any restrictions on an identifier for working with certificates. DN doesn't provide uniqueness typically but depending on the organization i could see that it could be unique. The most common method of doing uniqueness is the issuer + serial number, i would prefer to do a hash of the certificate. There isn't any reason i can see to restrict this, it could easily be configurable.

Gerrit topic: https://review.openstack.org/#q,topic:bp/authentication-tied-to-token,n,z

Addressed by: https://review.openstack.org/35093
    Implement Token Binding.

Gerrit topic: https://review.openstack.org/#q,topic:v2_v3,n,z

Addressed by: https://review.openstack.org/36839
    Pluggable Remote User

Gerrit topic: https://review.openstack.org/#q,topic:bp/pluggable-remote-user,n,z

Addressed by: https://review.openstack.org/37377
    Fix XML rendering with empty auth payload.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.