Keystone should use keystoneclient authtoken middleware
Token checking/validating in keystone for authenticated functions is spread over a wide range of files, some which check admin, some which retrieve the token data some which actually authenticate and some which don't.
This is ludicrous, we have auth token middleware that we provide to other applications, the authenticated sections of keystone should also rely on this mechanism. This would involve figuring out providing certificates to the middleware for pki tokens, properly understanding what requires authentication and at what level. This would hopefully also mean that we may not have a need to save the token metadata to the database, we could simply rely on the signed token passed to keystone in the way that other projects do and simply save token data for revocation purposes.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Jamie Lennox
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
A lot of this is superseded by the work towards non-persistent tokens. I'm going to mark this as superseded and we can continue the discussion on specifics as we progress.
