Session Extendable Length Tokens
Horizon currently uses the Token as a means to cache the userid and password. As we make token expirations shorter, sessions are going to time out more frequently.
The general rule with web applications is that if they are active within session time out (usually set to 10 minutes) the expiration time of the session is moved forward. This same behavior should be reflected in tokens: if the user has an active session, the token-to-token tranisition should allow for an extension of the expiration time of the token. However, there need to be a few limitations in order to prevent attacks.
Only unscoped tokens should be extensible this way. That means that the token has no scope whatsoever, and is not usable in any external service outside of keystone.
A token-to-token refresh event can only extend the expiration time of a token if the request comes from the same original source.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Low
- Drafter:
- Adam Young
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Related branches
Related bugs
Sprints
Whiteboard
(morganfainberg): In short, yes, this is a feature we should consider, but it will depend on where we go with the Authorization topic at the Kilo summit.
This was superseded by https:/
Gerrit topic: https:/
Addressed by: https:/
Session Tokens
Addressed by: https:/
proposed change for session tokens