diff options
author | Zuul <zuul@review.openstack.org> | 2019-02-22 03:53:02 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2019-02-22 03:53:02 +0000 |
commit | 3b2b79750d13eb65ebd0f0a42206c16c3bde8741 (patch) | |
tree | 9141634486cf0e143013c5792531a7819458422b /keystone/conf | |
parent | ace45841943ed6b698b8a5aea35a80c119c3cae3 (diff) | |
parent | 96adccd0ec0398251268f9ae89732005e340035c (diff) | |
download | keystone-3b2b79750d13eb65ebd0f0a42206c16c3bde8741.tar.gz |
Merge "Implement JWS token provider"
Diffstat (limited to 'keystone/conf')
-rw-r--r-- | keystone/conf/token.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/keystone/conf/token.py b/keystone/conf/token.py index 6c9ab3be8..2676d00e6 100644 --- a/keystone/conf/token.py +++ b/keystone/conf/token.py @@ -38,10 +38,15 @@ provider = cfg.StrOpt( help=utils.fmt(""" Entry point for the token provider in the `keystone.token.provider` namespace. The token provider controls the token construction, validation, and revocation -operations. Keystone includes `fernet` token provider. -`fernet` tokens do not need to be persisted at all, but require that you run -`keystone-manage fernet_setup` (also see the `keystone-manage fernet_rotate` -command). +operations. Supported upstream providers are `fernet` and `jws`. Neither +`fernet` or `jws` tokens require persistence and both require additional setup. +If using `fernet`, you're required to run `keystone-manage fernet_setup`, which +creates symmetric keys used to encrypt tokens. If using `jws`, you're required +to generate an ECDSA keypair using a SHA-256 hash algorithm for signing and +validating token, which can be done with `keystone-manage create_jws_keypair`. +Note that `fernet` tokens are encrypted and `jws` tokens are only signed. +Please be sure to consider this if your deployment has security requirements +regarding payload contents used to generate token IDs. """)) caching = cfg.BoolOpt( |