openstack/keystone
Code Issues Proposed changes

Merge "Consolidate identity-token-binding.rst"

Browse Source
This commit is contained in:
Zuul 2018-03-11 02:12:11 +00:00 committed by Gerrit Code Review
commit 5de6fd0237
2 changed files with 3 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/admin/identity-token-binding.rst
View File

@ -62,3 +62,6 @@ option to one of these modes:
[token]
enforce_token_bind = x509
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
mechanism called ``named``.

42
doc/source/configuration.rst
View File

@ -431,48 +431,6 @@ See `API Specification for OAuth 1.0a <https://developer.openstack.org/
api-ref/identity/v3-ext/index.html#os-oauth1-api>`_ for the details of
API definition.
Token Binding
=============
Token binding refers to the practice of embedding information from external
authentication providers (like a company's Kerberos server) inside the token
such that a client may enforce that the token only be used in conjunction with
that specified authentication. This is an additional security mechanism as it
means that if a token is stolen it will not be usable without also providing
the external authentication.
To activate token binding you must specify the types of authentication that
token binding should be used for in ``keystone.conf`` e.g.:
.. code-block:: ini
[token]
bind = kerberos
Currently only ``kerberos`` is supported.
To enforce checking of token binding the ``enforce_token_bind`` parameter
should be set to one of the following modes:
* ``disabled`` disable token bind checking
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
is unknown to the server then ignore it. This is the default.
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
unknown to the server then this token should be rejected.
* ``required`` enable bind checking and require that at least 1 bind mechanism
is used for tokens.
* named enable bind checking and require that the specified authentication
mechanism is used. e.g.:
.. code-block:: ini
[token]
enforce_token_bind = kerberos
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
mechanism called ``named``.
Limiting list return size
=========================