openstack team mailing list archive

[Greg <gholt@xxxxxxxxxxxxx>]

On Mar 3, 2011, at 7:02 PM, Michael Mayo wrote:

>> The problem with this logic is that you are optimizing wrong.  In a token based auth system, the tokens are valid generally for a period of time (24 hours normally with Rackspace auth), and it is a best practice to cache this.  Saying that you are reducing HTTP requests for 1 request that has to happen every 24 hours isn't saving you that much.
> 
> It depends.  If you're in a busy area of a big city with 1 bar of EDGE coverage on your phone, latency becomes your biggest connectivity issue.  So if you're only doing something with the API every 24 hours, auth could reasonably be close to 50% of the time you stare in frustration cursing your carrier.

I think this is a good reason to support both token and request signing. Token works wonderfully for multi-request apps, simplistic curl-type tools, and dev work. Signing works great for infrequent requests and slow links and apps that want that extra bit of security or that have to work over plain text links.