keystone/doc/source/admin/token-provider.rst
Lance Bragstad 032dd49db2 Remove the sql token driver and uuid token provider
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:

  - Remove test class that were only meant for sql or uuid scenarios
  - Refactor the notification framework to not hint at token storage
  - Refactor the token provider API interfaces to be simpler and
    cleaner
  - Remove the needs_persistence property from the token provider API
    and document the ability to push that logic into individual
    providers that require it
  - Return 403 Forbidden for all requests to fetch a revocation list
  - Remove the signing directory configuration options

These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.

bp removed-as-of-rocky

Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
2018-02-12 17:32:47 +00:00

34 lines
1.1 KiB
ReStructuredText

==============
Token provider
==============
OpenStack Identity supports customizable token providers. This is specified
in the ``[token]`` section of the configuration file. The token provider
controls the token construction, validation, and revocation operations.
You can register your own token provider by configuring the following property:
.. note::
More commonly, you can use this option to change the token provider to one
of the ones built in. Alternatively, you can use it to configure your own
token provider.
* ``provider`` - token provider driver.
Defaults to ``fernet``.
Implemented by :class:`keystone.token.providers.fernet.Provider`. This is the
entry point for the token provider in the ``keystone.token.provider``
namespace.
Below is the detailed list of the token formats supported by keystone.:
Fernet
``fernet`` tokens do not need to be persisted at all, but require that you run
``keystone-manage fernet_setup`` (also see the
``keystone-manage fernet_rotate`` command).
.. warning::
Fernet tokens are bearer tokens. They must be protected from unnecessary
disclosure to prevent unauthorized access.