Is there a way to tell Keystone that the scope of the new token requested (when using "token" as authentication method) is the same as the presented token?
In other words, in the absence of a "scope" attribute in the new request, can Keystone be hinted at using the same scope as the original?
No. You can't do this. Why do you want to do that?
Essentially, to try to "renew a token". To tell Keystone: "I'm this person with this scope of authorization, I wish to renew this token with the same scope".
Say an application doing some scheduled background operations. User originally authenticated with some scope. And background process just wants to renew that token; but may not know explicitly what the original scope was (or care).
I understand this usecase, and this usecase has to be done with trust/delegation of trust. Also rescope won't renew the expiry( I believe so), so it is not going to help.
If it extends expriry time, then an attacker can make this permanent token by rescoping for ever.
Thanks Ali. Indeed token from token doesn't renew expiry. I was under the assumption it did. But i tried and it doesn't. New tokens from the token, have the same expiry.
I will read up on trusts.
Asked: 2015-04-08 09:48:30 -0600
Seen: 324 times
Last updated: Apr 10 '15
