HMAC Signature Based Token
HMAC Signature Based Token
Keystone supports UUID and PKI token format, both the tokens has its pros and cons. UUID tokens are persistent token and manageability is the biggest problem with such tokens. PKI tokens are non persistent, but they are heavy weight tokens proven to be overhead for network.
HMAC Signature Based Tokens are non persistent light weight tokens which will be utilizing best of UUID and PKI tokens.
The Keystone HMAC Tokens framework will produce tokens containing signature per endpoint in the service catalog. The HMAC signature will be generate based on known facts (AKA hmac_text it may contain endpoint URL, user roles, expiration time etc…). Validation process can build the hmac_text and can generate the signature by getting the HMAC key from Keystone. This HMAC keys are non persistent ephemeral keys, which can be queried and delivered to trusted services over secure network easily. HMAC keys can be easily replicated in case of HA keystone setup.
This techniques is already used in Swift for temp url use case and can be easily extend to auth tokens.
http://
The major benefit of these tokens are
- Non persistent
- Light weight
- Supports revocation
Spec TBD
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Arvind Tiwari
- Direction:
- Needs approval
- Assignee:
- Arvind Tiwari
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
HMAC signature based token