Tokens with subsets of roles
Allow a user to request a token with a subset of the roles that they have so they on't give away too much authority with each token
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Adam Young
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Fernet token formatter with explicit role
(vishakha) 19-02-13 Can be marked as invalid now, as default roles work is going to land soon which makes sure of limited access in token [1].
(lbragstad): Looks like this specification is still in the discussion phase [0] without negative feedback. We should keep this open until we have a reason to close it or an implementation merged.
[0] https:/
Certainly not invalid. The closest we have are App Creds, but those do not cover all use cases. This is a security hardening step that removes elevation of priv type attacks. It should have been supported from the beginning, and needs to be implemented at some point.
(lbragstad) 19-02-15: I'm marking this as superseded based on the plan socialized on the mailing list [0]. All relevant content from this blueprint has been ported to an RFE bug report [1].
[0] http://
[1] https:/
