Token provider
OpenStack Identity supports customizable token providers. This is
specified in the [token] section of the configuration file.
The token provider controls the token construction, validation, and
revocation operations.
You can register your own token provider by configuring the following
property:
Note
More commonly, you can use this option to change the token provider
to one of the ones built in. Alternatively, you can use it to configure
your own token provider.
provider– token provider driver. Defaults to
fernet. Implemented bykeystone.token.providers.fernet.Provider. This is
the entry point for the token provider in the
keystone.token.providernamespace.
Below is the detailed list of the token formats supported by
keystone.:
- Fernet
fernettokens do not need to be persisted at all, but
require that you runkeystone-manage fernet_setup(also see
thekeystone-manage fernet_rotatecommand).
Warning
Fernet tokens are bearer tokens. They must be protected from
unnecessary disclosure to prevent unauthorized access.
- JWS
jwstokens do not need to be persisted at all, but
require that you configure an asymmetric key pair to sign and validate
tokens. The key pair can be generated using
keystone-manage create_jws_keypairor it can be generated
out-of-band manually so long as it is compatible with the JWT
ES256Elliptic Curve Digital Signature Algorithm (ECDSA)
using a P-256 curve and a SHA-256 hash algorithm.
Warning
JWS tokens are bearer tokens. They must be protected from unnecessary
disclosure to prevent unauthorized access.
