Please note: This schedule is for OpenStack Active Technical Contributors participating in the Icehouse Design Summit sessions in Hong Kong. These are working sessions to determine the roadmap of the Icehouse release and make decisions across the project. To see the full OpenStack Summit schedule, including presentations, panels and workshops, go to http://openstacksummitnovember2013.sched.org.
A token may not be expired yet, but the authorization it presents may no longer be valid.
As a result, keystoneclient.middleware.auth_token constantly needs to ask "Is this token valid?" We've taken a couple different approaches to answering this question in the past, including:
- UUID tokens + online token validation - PKI tokens + periodically fetching a list of revoked tokens
Both existing solutions require keystone to track issued tokens so that it can later know which to consider as "revoked," and both solutions result in an undesirable amount of network traffic and activity against the token backend.
I'd like to select and pursue a better approach (if any) to avoid the pitfalls described above. Proposed solutions include: