Allow clients to opt-out of service catalog inclusion

Registered by Dolph Mathews

A service catalog is automatically included in a create token response (POST /v3/auth/tokens). While this behavior should not change, we should provide a method for clients to opt out of the catalog being included so that PKI tokens will be significantly smaller in a more complex deployment.

A create token request that opts out of the catalog could simply be accomplished via a query string:

  POST /v3/auth/tokens?nocatalog

(out of scope for this bp...) The catalog should also become independently available on a new endpoint, such as:

  GET /v3/catalog

Related Havana summit etherpad:

Blueprint information

Adam Young
Dolph Mathews
Fabio Giannetti
Series goal:
Accepted for havana
Milestone target:
milestone icon 2013.2
Started by
Dolph Mathews
Completed by
Thierry Carrez

Related branches



Increased the priority on this as it also represents a bug fix. Any progress on this? Definitely needs to land in m2 -dolph

Related discussion on the mailing list:

Related bug ("Token auth fails when token is larger than 8k"):

Dolph, we are actively working on it. Fabio (new HP engineer) should have a review ready by sometime next week (6/17 - 21) I think. (thanks! feel free to change the assignee on the bp appropriately -dolph)

(Fabio) Working on the bp. I need to have more details regarding the get /catalog behaviour:
Case 1) get /catalog has a X-subject-token in the request, the user-id and project-id are gathered from the token
Case 2) get /catalog does not have the X-subject-token but has two query params stating user-id and project-id
Case 3) get /catalog does not have token ref nor query params a 400 (bad request is returned)
Are those cases what we are looking for with this bp, please advice. Thanks, Fabio

Case 1 is the only one that needs to be handled (I don't see a use case for providing anything via query params, and that's a poor long term solution considering we'd like to remove that data from the catalog altogether). -dolph
+1 (gyee)
+1(topol) -- great to see this provide a way to reduce token size!

Gerrit topic:,topic:bp/catalog-optional,n,z

Addressed by:
    Implemented POST /v3/auth/tokens?no-catalog and GET /v3/catalog methods.

Gerrit topic:,topic:bp/authentication-tied-to-token,n,z

I'd like to introduce another implementation for this case

Gerrit topic:,topic:bp/compact-pki-token,n,z

Addressed by:
    Keystone compact PKI token


Work Items

This blueprint contains Public information 
Everyone can see this information.