From bf5404907edb246d91777732c567722c552cfbaa Mon Sep 17 00:00:00 2001
From: zlyqqq <hfzhengliuyang@163.com>
Date: Fri, 9 Jun 2017 11:48:40 +0800
Subject: [PATCH] Add annotation about token authenticate

If we use token authenticate method, the new token expires at the time
which is equal to expiration time of the old token in the request.
We can add annotation about why take this way.

Change-Id: If7740f89ea7d38500f96f2ee5eb977d46dbe2584
---
 keystone/auth/plugins/token.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/keystone/auth/plugins/token.py b/keystone/auth/plugins/token.py
index 8c8be52338..6cc737202e 100644
--- a/keystone/auth/plugins/token.py
+++ b/keystone/auth/plugins/token.py
@@ -102,6 +102,10 @@ def token_authenticate(request, token_ref):
             # issued prior to audit id existing, the chain is not tracked.
             token_audit_id = None
 
+        # To prevent users from never having to re-authenticate, the original
+        # token expiration time is maintained in the new token. Not doing this
+        # would make it possible for a user to continuously bump token
+        # expiration through token rescoping without proving their identity.
         response_data.setdefault('expires_at', token_ref.expires)
         response_data['audit_id'] = token_audit_id
         response_data.setdefault('user_id', token_ref.user_id)