Short living tokens don't require validation
TL; DR: If we can make tokens to expire in 5 minutes, it is possible to get rid of token validation.
The only reason long-term tokens are necessary is the need to pass tokens between actors and inability of them to re-authenticate for the token with the same scope.
By introducing unified delegation we offer the paradigm "if your token has expired, ask for a new one" thus lifting the need for long-living tokens.
Currently keystonemiddleware already caches validated tokens for 5 minutes, so there is already a lag between token revocation (for any reason) and actual token invalidation on the client side.
Consequently we can do all validations on token issue and then consider this token valid for its entire lifetime. All that 5 minutes.
Optionally, validations can be applied to the expired tokens - this may be implemented as configurable behavior.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Alexander Makarov
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
(stevemar) 2016-02-02: i think this is superseded by fernet tokens
Work Items
Dependency tree
* Blueprints in grey have been implemented.
