Merge "Consolidate identity-token-binding.rst"
This commit is contained in:
Zuul
Gerrit Code Review
commit
5de6fd0237
@ -62,3 +62,6 @@ option to one of these modes:
|
|||||||
|
|
||||||
[token]
|
[token]
|
||||||
enforce_token_bind = x509
|
enforce_token_bind = x509
|
||||||
|
|
||||||
|
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
|
||||||
|
mechanism called ``named``.
|
||||||
@ -431,48 +431,6 @@ See `API Specification for OAuth 1.0a <https://developer.openstack.org/
|
|||||||
api-ref/identity/v3-ext/index.html#os-oauth1-api>`_ for the details of
|
api-ref/identity/v3-ext/index.html#os-oauth1-api>`_ for the details of
|
||||||
API definition.
|
API definition.
|
||||||
|
|
||||||
|
|
||||||
Token Binding
|
|
||||||
=============
|
|
||||||
|
|
||||||
Token binding refers to the practice of embedding information from external
|
|
||||||
authentication providers (like a company's Kerberos server) inside the token
|
|
||||||
such that a client may enforce that the token only be used in conjunction with
|
|
||||||
that specified authentication. This is an additional security mechanism as it
|
|
||||||
means that if a token is stolen it will not be usable without also providing
|
|
||||||
the external authentication.
|
|
||||||
|
|
||||||
To activate token binding you must specify the types of authentication that
|
|
||||||
token binding should be used for in ``keystone.conf`` e.g.:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[token]
|
|
||||||
bind = kerberos
|
|
||||||
|
|
||||||
Currently only ``kerberos`` is supported.
|
|
||||||
|
|
||||||
To enforce checking of token binding the ``enforce_token_bind`` parameter
|
|
||||||
should be set to one of the following modes:
|
|
||||||
|
|
||||||
* ``disabled`` disable token bind checking
|
|
||||||
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
|
|
||||||
is unknown to the server then ignore it. This is the default.
|
|
||||||
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
|
|
||||||
unknown to the server then this token should be rejected.
|
|
||||||
* ``required`` enable bind checking and require that at least 1 bind mechanism
|
|
||||||
is used for tokens.
|
|
||||||
* named enable bind checking and require that the specified authentication
|
|
||||||
mechanism is used. e.g.:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[token]
|
|
||||||
enforce_token_bind = kerberos
|
|
||||||
|
|
||||||
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
|
|
||||||
mechanism called ``named``.
|
|
||||||
|
|
||||||
Limiting list return size
|
Limiting list return size
|
||||||
=========================
|
=========================
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user