Change the expires_at time of a Fernet Token --- Ocata

asked 2017-06-16 09:42:34 -0500

ksugiu gravatar image

Hi all, :)

I'm looking for changing the "expires_at" variable of a Fernet-Token (just 1 token that i want to re-use after) in my Openstack-Octa deployement. I know how to do it for uuid-tokens (in mysql>keystone>token) but i don't know how it works for Fernet-Tokens... Fernet use "memecached" and i can't change "expires_at" by APIs....

Does someone can help me ?

thx :)

edit retag flag offensive close merge delete


The expiration time is encoded in the token itself; see the code. I doubt it can be changed.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-17 08:44:42 -0500 )edit

And even if you could change the expiration time, once the key that the token was encrypted with gets rotated out of the key repository, Keystone would be unable to decrypt and validate the token.

Della gravatar imageDella ( 2017-06-28 07:50:39 -0500 )edit

Actually, looking at Bernd Bausch's link again, only creation_time is encoded in the token itself. expires_at is part of the payload.

Della gravatar imageDella ( 2017-06-29 08:27:55 -0500 )edit