Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user typing the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

Thanks for any advice or help.

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

The question: Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user typing the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

Thanks for any advice or help.

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

The question: Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user typing type the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

Thanks for any advice or help.

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

The question: Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user type the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

EDIT: I've been looking into it and seems that horizon caches the unscoped token in request.session['unscoped_token']. It would be great if I could use that token, which is essentially only authentication, no authorization) to ask for a new scoped token.

Thanks for any advice or help.

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

The question: Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user type the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

EDIT: I've been looking into it and seems that horizon caches the unscoped token in request.session['unscoped_token']. It would be great if I could use that token, which is essentially only authentication, no authorization) to ask for a new scoped token.

Thanks for any advice or help.

Refresh revoked token in horizon/keystone

Hi,
I'm developing on top of Horizon and Keystone and I have come across the following behaviour:
If user A loses a grant (for example gets a role revoked in one project by user B) all his tokens are revoked. Therefor, if the user was logged in and performing some actions in Horizon suddenly he will be unable to do anything and get a red warning message, because his current token is invalid and every request returns 401 Unauthorized. The only way I've found for user A to get a new token is to log out and log in again, which is annoying, counterintutive (because no explanation is given to the user about what is happening) and feels like a random failure for the user (because he might not realize someone revoked him a role).

The question: Is there anyway to get a new token (refresh) for user A under-the-hood and with out him noticing (other than maybe a page refresh)? I wan't to avoid having the user type the password again but the current token got revoked so I can't use it to fetch a new one.

In other words, is there a way to reuse the authentication part of the token even if the authorization part is revoked? Looking at keystone code looks like the whole token gets invalidated and revoked.

EDIT: one. I've been looking into it and seems that horizon caches the unscoped token in request.session['unscoped_token']. It would be great if I could use that token, which is essentially only authentication, no authorization) to ask for

Edit after Haneef's answer
As @Haneef Ali pointed out in his answer, I can reuse this token to get a new scoped token.token. The question now is how to force Horizon to do this. Maybe calling the login view again will do it automatically?

Thanks for any advice or help.