Keeping original scope when requesting a new token from token

asked 2015-04-08 09:48:30 -0600

pentatonic gravatar image

Is there a way to tell Keystone that the scope of the new token requested (when using "token" as authentication method) is the same as the presented token?

In other words, in the absence of a "scope" attribute in the new request, can Keystone be hinted at using the same scope as the original?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-04-08 10:30:50 -0600

No. You can't do this. Why do you want to do that?

edit flag offensive delete link more

answered 2015-04-10 08:31:19 -0600

pentatonic gravatar image

Essentially, to try to "renew a token". To tell Keystone: "I'm this person with this scope of authorization, I wish to renew this token with the same scope".

Say an application doing some scheduled background operations. User originally authenticated with some scope. And background process just wants to renew that token; but may not know explicitly what the original scope was (or care).

edit flag offensive delete link more


I understand this usecase, and this usecase has to be done with trust/delegation of trust. Also rescope won't renew the expiry( I believe so), so it is not going to help.

Haneef Ali gravatar imageHaneef Ali ( 2015-04-10 14:48:29 -0600 )edit

If it extends expriry time, then an attacker can make this permanent token by rescoping for ever.

Haneef Ali gravatar imageHaneef Ali ( 2015-04-10 14:49:58 -0600 )edit

Thanks Ali. Indeed token from token doesn't renew expiry. I was under the assumption it did. But i tried and it doesn't. New tokens from the token, have the same expiry.

I will read up on trusts.

pentatonic gravatar imagepentatonic ( 2015-04-13 10:37:23 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-04-08 09:48:30 -0600

Seen: 324 times

Last updated: Apr 10 '15