Add annotation about token authenticate

If we use token authenticate method, the new token expires at the time which is equal to expiration time of the old token in the request. We can add annotation about why take this way. Change-Id: If7740f89ea7d38500f96f2ee5eb977d46dbe2584
2017-06-09 11:48:40 +08:00 · 2017-06-09 11:48:40 +08:00 · bf5404907e
parent c528539879
commit bf5404907e
1 changed files with 4 additions and 0 deletions
--- a/keystone/auth/plugins/token.py
+++ b/keystone/auth/plugins/token.py
@ -102,6 +102,10 @@ def token_authenticate(request, token_ref):
            # issued prior to audit id existing, the chain is not tracked.
            token_audit_id = None

+        # To prevent users from never having to re-authenticate, the original
+        # token expiration time is maintained in the new token. Not doing this
+        # would make it possible for a user to continuously bump token
+        # expiration through token rescoping without proving their identity.
        response_data.setdefault('expires_at', token_ref.expires)
        response_data['audit_id'] = token_audit_id
        response_data.setdefault('user_id', token_ref.user_id)