Ask Your Question

Keystone v3 Token Validation [closed]

asked 2014-08-21 13:45:51 -0500

astone gravatar image

updated 2014-08-21 13:47:41 -0500


Planning on using keystone for an application as the identity service.

I know in v2.0 a token can be authenticated and therefore validated and decoded.

I know in v3.0 there's an API method (GET /auth/tokens/) that can be called to verify a token.

My only concern with the v3.0 API is that during an authentication check, the act of querying keystone to verify is added delay and would essentially hamper API performance. Granted I could cache the tokens, but would I still need to pull 'revoked' tokens?

I noticed that a v3.0 token uses the same signing system as v2.0

Is there any harm, short and long, in using the v2.0 system of token validation/decoding on a v3.0 Token? In other words, pull the certificate from keystone (every minute or two for example) and check the signature of the token? Using the certificate is more heavy on system resource, but at least it would avoid marshall/unmarshall/network latency for verify token via the API for each single request

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by astone
close date 2014-08-21 22:02:49.588996

2 answers

Sort by ยป oldest newest most voted

answered 2014-08-21 16:16:11 -0500

updated 2014-08-25 15:17:38 -0500

I don't understand your question. Clients can validate the token themselves or ask keystone to validate it.

GET v3/auth/tokens  -- Can be used by the clients to validate the token
curl -i  -H "X-Auth-Token: Token of person who is validating"  -H "X-Subject-Token: "Token To be validated"  http://identity-host:35357/v3/auth/token

GET v2.0/tokens      --  Can be used by the clients to validate the token.

curl -i  -H "X-Auth-Token: Token of person who is validating"     http://identity-host:35357/v2.0/tokens/<"Token To be validated">

(i.e) The call you mentioned is v3 call and v2 has an equivalent call. So nothing new in v3 as for as token validation is concerned

Keystone has 2 types of token. They are UUID and PKI. This is applicable both for v2 and v3

PKI is cert based and it can be verified in the clients using certs. PKI tokens can also be send to keystone via GET v3/auth/tokens or GET v2.0/token to validate

UDDI token can only be validated by sending it to keystone. Keystone default token type is PKI

Update 1:

You are correct about cert apis. It looks odd to call that using V2.0 path. Most probably they will migrate it to v3. There is no logic involved there. As far as I know only keystone middleware is using that apis and it is easy to migrate. Even keystonemiddleware fetches it only once and dumps them under signing dir. So if you manually copy those files, then you are fine

Update 2:

Actually keystone has those cert apis in v3. It is under different root

edit flag offensive delete link more


Please see comment replied to question - ran out of space in the comment box =)

astone gravatar imageastone ( 2014-08-21 18:31:12 -0500 )edit

Sounds good. Thanks for all the information - much appreciated!

astone gravatar imageastone ( 2014-08-21 22:02:21 -0500 )edit

answered 2014-08-21 18:30:50 -0500

astone gravatar image

updated 2014-08-21 18:32:14 -0500

Thanks for the reply.

I've read and experienced quite the opposite with v2. I've seen no documentation for GET /v2.0/tokens and the only way to validate the token is using the PKI method. As apposed to V3.0, there is an API which will do the validation (glad it's there).

Regardless, there is no v3.0 API to retrieve the certificates, which makes me inclined to believe that it (along with all v2.0) could one day be fully deprecated and removed, while keystone may still having support for v3.0.

So in summary, if I plan on using the v3.0 API and validating using the PKI method, it seems questionable to be using the GET /v2.0/certificates/signing API to pull certs to validate against objects provided by the v3.0 API - which leads me to wonder if this is a questionable thing to do ?

edit flag offensive delete link more


I have updated original response.

Haneef Ali gravatar imageHaneef Ali ( 2014-08-21 21:07:41 -0500 )edit

I see it - excellent. Thank you very much again!

astone gravatar imageastone ( 2014-08-25 15:42:06 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-08-21 13:45:51 -0500

Seen: 1,583 times

Last updated: Aug 25 '14