Refresh revoked token in horizon/keystone
Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).
The question:
Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user type the password again but the current token got revoked so I can't use it to fetch a new one. I've been looking into it and seems that horizon caches the unscoped token in request.session['unscoped_token']
.
Edit after Haneef's answer
As @Haneef Ali pointed out in his answer, I can reuse this token to get a new scoped token. The question now is how to force Horizon to do this. Maybe calling the login view again will do it automatically?
Thanks for any advice or help.
Automatic rescoping of the unscoped token is not currently supported in horizon. If you wish to do this, you would have to modify https://github.com/openstack/horizon/... the process_exception in particular.