Session Extendable Length Tokens

Registered by Adam Young on 2014-04-22

Horizon currently uses the Token as a means to cache the userid and password. As we make token expirations shorter, sessions are going to time out more frequently.

The general rule with web applications is that if they are active within session time out (usually set to 10 minutes) the expiration time of the session is moved forward. This same behavior should be reflected in tokens: if the user has an active session, the token-to-token tranisition should allow for an extension of the expiration time of the token. However, there need to be a few limitations in order to prevent attacks.

Only unscoped tokens should be extensible this way. That means that the token has no scope whatsoever, and is not usable in any external service outside of keystone.

A token-to-token refresh event can only extend the expiration time of a token if the request comes from the same original source.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
None
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Steve Martinelli on 2017-02-03

Related branches

Sprints

Whiteboard

(morganfainberg): In short, yes, this is a feature we should consider, but it will depend on where we go with the Authorization topic at the Kilo summit.

This was superseded by https://blueprints.launchpad.net/keystone/+spec/allow-expired

Gerrit topic: https://review.openstack.org/#q,topic:bp/session-extendable-tokens,n,z

Addressed by: https://review.openstack.org/96648
    Session Tokens

Addressed by: https://review.openstack.org/105812
    proposed change for session tokens

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.