From af6f1924eb96dbacb608db59687eaa4faacc55f9 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Thu, 2 Apr 2015 10:15:29 +1100 Subject: [PATCH] Increase minimum token life required MIN_TOKEN_LIFE_SECONDS is the number of seconds that the token provided must be valid for to be used when making authentication requests. 1 second has always been a dumb number and was not based on any existing value. Because a user token may be reused by a service to make requests on behalf of a user if the token is valid when sent it may not be valid for the life of the request. 2 minutes is also an arbitrary value, but it should allow plenty of time for service requests to complete before being rejected. Closes-Bug: #1441910 Change-Id: I395a0770e72d1ec7904e656ca382a5270f793a8b --- keystoneclient/auth/identity/base.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/keystoneclient/auth/identity/base.py b/keystoneclient/auth/identity/base.py index d8cd2a6..75c6d7f 100644 --- a/keystoneclient/auth/identity/base.py +++ b/keystoneclient/auth/identity/base.py @@ -34,8 +34,9 @@ def get_options(): @six.add_metaclass(abc.ABCMeta) class BaseIdentityPlugin(base.BaseAuthPlugin): - # we count a token as valid if it is valid for at least this many seconds - MIN_TOKEN_LIFE_SECONDS = 1 + # we count a token as valid (not needing refreshing) if it is valid for at + # least this many seconds before the token expiry time + MIN_TOKEN_LIFE_SECONDS = 120 def __init__(self, auth_url=None,