Implement auth on Identity API v3

Registered by Joe Savak

Identity API v2 briefly had an extension called OS-KSVALIDATE, the goal of which was to eliminate the use of token ID's in URL's (see bug 861854).

Example calls from OS-KSVALIDATE:

  GET /v2.0/token/validate (passing in X-Subject-Token)
  GET /v2.0/token/endpoints (passing in X-Subject-Token)
  DELETE /v2.0/token (passing in X-Subject-Token)

Given that this needs to be a core behavior, the Identity API v3 auth spec picked up the use of the X-Subject-Token header, rather than passing token ID's as part of a restful URL.

The goal of this blueprint is therefore to implement the following Identity API v3 calls:

  Exchanging credentials for a token: POST /v3/auth
  Online token validation: GET /v3/auth (passing in X-Subject-Token)
  Retrieve service catalog for a token: GET /v2.0/auth/catalog (passing in X-Subject-Token)
  Token revocation: DELETE /v2.0/auth (passing in X-Subject-Token)

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
None
Direction:
Approved
Assignee:
Guang Yee
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Joseph Heck
Completed by
Thierry Carrez

Related branches

Sprints

Whiteboard

Originally implemented in legacy here: https://review.openstack.org/#change,2889

Addressed by: https://review.openstack.org/7010

Gerrit topic: https://review.openstack.org/#q,topic:bp/pluggable-identity-authentication-handlers,n,z

Addressed by: https://review.openstack.org/21487
    blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) v3 authentication and token APIs

Gerrit topic: https://review.openstack.org/#q,topic:bug/1126048,n,z

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.