List Revocation Events

Registered by Adam Young

List the events that lead to revoked tokens instead of the revoked token ids

revocation events will be a tuple: UserId, ProjectId, time.
The list of revocation events will only last until the project has expired.
Revocation lists will be grouped by domain id or project id

As a consequence of this blueprint, GET /v3/auth/tokens/OS-PKI/revoked should be deprecated.

This will close bug 1242620.

Blueprint information

Adam Young
Needs approval
Adam Young
Series goal:
Accepted for icehouse
Milestone target:
milestone icon 2014.1
Started by
Dolph Mathews
Completed by
Thierry Carrez


I like the concept of grouping by domain (vs. group by project). As long as we
collect the revocation events for a given domain (if we don't know about the
domain yet, aka no events on the notification bus, no record of revocation
events). If an event for a (never before seen) domain comes across the bus,
we should request the full list of events for that domain. Would you expect a
complete refresh of the list on a domain for an event? --morganfainberg


- we can drop token persistence completely for PKI tokens (revocation list is
  the only reason we need it today)


OCSP - Online certificate status protocol


- tokens MUST be re-issued with the exact same expires_at to support explicit token revocation. issuing tokens with shorter expiration is no longer a valid option in the future.

To be Addressed:

Similar to other service we need to provide links in the events packet. Primarily we need to know the location of the bus from which to receive deltas.

Gerrit topic:,topic:bp/revocation-events,n,z

Addressed by: (merged)

Gerrit topic:,topic:(detached,n,z

Addressed by: (abandoned)
    Token Revocation Extension

Addressed by: (merged)
    append extension name to trust notifications

Addressed by: (merged)
    Don't duplicate the existing config file list

Addressed by: (merged)
    initialize environment for tests that call popen

Addressed by: (merged)
    Allow event callback registration for arbitrary resource types

Addressed by: (merged)
    Notifications upon disable

Addressed by: (merged)
    Additional notifications for revocations

Addressed by:
    revocation events

Gerrit topic:,topic:additional-notifications-for-revocation,n,z

Gerrit topic:,topic:bp/efficient-revocation-check,n,z

Addressed by: (abandoned)
    SQL Backend for Revocation Events

Addressed by:
    Revocation events for keystonemiddleware


Work Items

Work items:
[ayoung] Define format for reporting items: TODO
[ayoung] spec out tool to determine if a token matches revocation criteria: TODO
[ayoung] determine how to report revoking a specific token: TODO
[ayoung] determine how to report token chain of allocation: TODO

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.