Store the token HASH in Secure Cookie for HTML clients
In order to implement HATEOAS, Keystone clients will need to be able to authenticate, and to have the authentication stick across multiple requests. Passing it in a custom Header does not work with web browsers.
If the HTML request specifies an accepted content type of HTML or XHTML, the token HASH should be stored in a secure Cookie. Additional requests to Keystone will then check for the presence and validity of the HASH in order to continue to authenticate the user requests.
Only unscoped token issued will be stored in the Secure cookies.
Requesting an additional unscoped token will replace the unscope token in the the cookie, but will not extend the lifetime unless it is accompanied by valid credentials used to issue a token in the first place.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Not
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Adam Young
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
We should set the Origin Header and only allow a limited set of Origin values.
The Keystoneclient should set the origin value from the auth-url.