openstack
/
keystone-specs
Code Issues Proposed changes

Clarify details of json-web-tokens spec 

Change-Id: Ia00e71d5229aaedbd97f7b33dc9308b121948d4f
This commit is contained in:
Colleen Murphy 2017-10-20 11:39:56 +02:00
parent ae7760d282
commit 0aa11d2c64
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
specs/keystone/backlog/json-web-tokens.rst
View File

@ -106,10 +106,13 @@ Security Impact
---------------
Since JWT is a widely used web standard, this will have a net positive impact
on security. Choosing to use JWE, an optional feature of the JWT spec, will
ensure that the data within the token is at least as secure as it is in fernet
tokens. These will still be bearer tokens and so interception of one must still
be guarded against.
on security. The implementation will use JWE even though it is an optional
feature of the JWT spec. While this will not protect against an attacker using
a valid token to query keystone for information about the token, it protects
against an attacker gaining information from an expired or revoked token. This
will ensure that the data within the token is at least as secure as it is in
fernet tokens. These will still be bearer tokens and so interception of one
must still be guarded against.
Notifications Impact
--------------------