Add documentation that advertise support for JWS tokens. bp json-web-tokens Change-Id: If1700c53674ad98b54f572a73b5d4350c7837ab6
1.7 KiB
Token provider
OpenStack Identity supports customizable token providers. This is
specified in the [token]
section of the configuration file.
The token provider controls the token construction, validation, and
revocation operations.
You can register your own token provider by configuring the following property:
Note
More commonly, you can use this option to change the token provider to one of the ones built in. Alternatively, you can use it to configure your own token provider.
provider
- token provider driver. Defaults tofernet
. Implemented bykeystone.token.providers.fernet.Provider
. This is the entry point for the token provider in thekeystone.token.provider
namespace.
Below is the detailed list of the token formats supported by keystone.:
- Fernet
-
fernet
tokens do not need to be persisted at all, but require that you runkeystone-manage fernet_setup
(also see thekeystone-manage fernet_rotate
command).
Warning
Fernet tokens are bearer tokens. They must be protected from unnecessary disclosure to prevent unauthorized access.
- JWS
-
jws
tokens do not need to be persisted at all, but require that you configure an asymmetric key pair to sign and validate tokens. The key pair can be generated usingkeystone-manage create_jws_keypair
or it can be generated out-of-band manually so long as it is compatible with the JWTES256
Elliptic Curve Digital Signature Algorithm (ECDSA) using a P-256 curve and a SHA-256 hash algorithm.
Warning
JWS tokens are bearer tokens. They must be protected from unnecessary disclosure to prevent unauthorized access.