openstack team mailing list archive

[Dolph Mathews <dolph.mathews@xxxxxxxxx>]

The X-Subject-Token solution is definitely not valid HTTP, in that it
implies that two otherwise identical requests for GET /tokens would return
two completely different results (hence the need for a Vary header, as we
include for X-Auth-Token).

I have a slightly more proper (and complicated) solution in mind if we want
to continue with the current token architecture, but I'd much rather see
PKI deprecate the idea of centralized token validation.

Either way, I don't think a bug needs to be opened because it's not
implemented in keystone today anyway (it was implemented in legacy, and
wasn't ported to redux).

-Dolph

On Tue, Jun 12, 2012 at 11:10 AM, Joseph Heck <heckj@xxxxxxx> wrote:

> > P.S. the X-Subject-Token stuff is breaking HTTP; you need to either put
> the token (or a facsimile for it) in the URL, or put Vary: Subject-Token in
> EVERY response those resources generate. The former is preferred; this is
> over TLS, right? Sorry I didn't see that earlier.
> >
> > P.P.S If it's not too late, drop the X- from that header! <
> http://tools.ietf.org/html/draft-ietf-appsawg-xdash-05>
>
> Mark - could you open a bug against Keystone for the X-Subject-Token
> "breaking HTTP" with the relevant details?
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>