94a27b1960
Change-Id: I03b806b6c2ce50e3c4d358c012ac5b8012f585ef
65 lines
1.7 KiB
ReStructuredText
65 lines
1.7 KiB
ReStructuredText
============================================
|
|
Configure Identity service for token binding
|
|
============================================
|
|
|
|
Token binding embeds information from an external authentication
|
|
mechanism, such as a Kerberos server or X.509 certificate, inside a
|
|
token. By using token binding, a client can enforce the use of a
|
|
specified external authentication mechanism with the token. This
|
|
additional security mechanism ensures that if a token is stolen, for
|
|
example, it is not usable without external authentication.
|
|
|
|
You configure the authentication types for a token binding in the
|
|
``/etc/keystone/keystone.conf`` file:
|
|
|
|
.. code-block:: ini
|
|
|
|
[token]
|
|
bind = kerberos
|
|
|
|
or
|
|
|
|
.. code-block:: ini
|
|
|
|
[token]
|
|
bind = x509
|
|
|
|
Currently ``kerberos`` and ``x509`` are supported.
|
|
|
|
To enforce checking of token binding, set the ``enforce_token_bind``
|
|
option to one of these modes:
|
|
|
|
- ``disabled``
|
|
Disables token bind checking.
|
|
|
|
- ``permissive``
|
|
Enables bind checking. If a token is bound to an unknown
|
|
authentication mechanism, the server ignores it. The default is this
|
|
mode.
|
|
|
|
- ``strict``
|
|
Enables bind checking. If a token is bound to an unknown
|
|
authentication mechanism, the server rejects it.
|
|
|
|
- ``required``
|
|
Enables bind checking. Requires use of at least authentication
|
|
mechanism for tokens.
|
|
|
|
- ``kerberos``
|
|
Enables bind checking. Requires use of kerberos as the authentication
|
|
mechanism for tokens:
|
|
|
|
.. code-block:: ini
|
|
|
|
[token]
|
|
enforce_token_bind = kerberos
|
|
|
|
- ``x509``
|
|
Enables bind checking. Requires use of X.509 as the authentication
|
|
mechanism for tokens:
|
|
|
|
.. code-block:: ini
|
|
|
|
[token]
|
|
enforce_token_bind = x509
|