d9e6c1d4dd
Adds a new model and provider for receipts which are very similar to tokens (fernet based), and share the same fernet mechanisms. Adds changes to the auth layer to handle the creation, validation, and consumptions of receipts as part of the auth process. Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb bp: mfa-auth-receipt
19 lines
1.0 KiB
YAML
19 lines
1.0 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`blueprint mfa-auth-receipt <https://blueprints.launchpad.net/keystone/+spec/mfa-auth-receipt>`_]
|
|
Added support for auth receipts. Allows multi-step authentication for users
|
|
with configured MFA Rules. Partial authentication with successful auth
|
|
methods will return an auth receipt that can be consumed in subsequent auth
|
|
attempts along with the missing auth methods to complete auth and be
|
|
provided with a valid token.
|
|
upgrade:
|
|
- |
|
|
[`blueprint mfa-auth-receipt <https://blueprints.launchpad.net/keystone/+spec/mfa-auth-receipt>`_]
|
|
Auth receipts share the same fernet mechanism as tokens and by default
|
|
will share keys with tokens and work out of the box. If your fernet key
|
|
directory is not the default, you will need to also configure the receipt
|
|
key directory, but they can both point to the same location allowing key
|
|
rotations to affect both safely. It is possible to split receipt and token
|
|
keys and run rotatations separately for both if needed.
|