950e7d1f6d
Add documentation that advertise support for JWS tokens. bp json-web-tokens Change-Id: If1700c53674ad98b54f572a73b5d4350c7837ab6
47 lines
1.7 KiB
ReStructuredText
47 lines
1.7 KiB
ReStructuredText
==============
|
|
Token provider
|
|
==============
|
|
|
|
OpenStack Identity supports customizable token providers. This is specified
|
|
in the ``[token]`` section of the configuration file. The token provider
|
|
controls the token construction, validation, and revocation operations.
|
|
|
|
You can register your own token provider by configuring the following property:
|
|
|
|
.. note::
|
|
|
|
More commonly, you can use this option to change the token provider to one
|
|
of the ones built in. Alternatively, you can use it to configure your own
|
|
token provider.
|
|
|
|
* ``provider`` - token provider driver.
|
|
Defaults to ``fernet``.
|
|
Implemented by :class:`keystone.token.providers.fernet.Provider`. This is the
|
|
entry point for the token provider in the ``keystone.token.provider``
|
|
namespace.
|
|
|
|
Below is the detailed list of the token formats supported by keystone.:
|
|
|
|
Fernet
|
|
``fernet`` tokens do not need to be persisted at all, but require that you run
|
|
``keystone-manage fernet_setup`` (also see the
|
|
``keystone-manage fernet_rotate`` command).
|
|
|
|
.. warning::
|
|
|
|
Fernet tokens are bearer tokens. They must be protected from unnecessary
|
|
disclosure to prevent unauthorized access.
|
|
|
|
JWS
|
|
``jws`` tokens do not need to be persisted at all, but require that you
|
|
configure an asymmetric key pair to sign and validate tokens. The key pair can
|
|
be generated using ``keystone-manage create_jws_keypair`` or it can be
|
|
generated out-of-band manually so long as it is compatible with the JWT
|
|
``ES256`` Elliptic Curve Digital Signature Algorithm (ECDSA) using a P-256
|
|
curve and a SHA-256 hash algorithm.
|
|
|
|
.. warning::
|
|
|
|
JWS tokens are bearer tokens. They must be protected from unnecessary
|
|
disclosure to prevent unauthorized access.
|