Consolidate identity-token-binding.rst
Consolidate from configuration.rst into identity-token-binding.rst Change-Id: Id62e7a245b8cf1c751e21395a30fee340d5bfbe0
This commit is contained in:
Suramya Shah
parent
1175a356fc
commit
c7ef448035
|
|
@ -62,3 +62,6 @@ option to one of these modes:
|
|||
|
||||
[token]
|
||||
enforce_token_bind = x509
|
||||
|
||||
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
|
||||
mechanism called ``named``.
|
||||
|
|
@ -457,48 +457,6 @@ See `API Specification for OAuth 1.0a <https://developer.openstack.org/
|
|||
api-ref/identity/v3-ext/index.html#os-oauth1-api>`_ for the details of
|
||||
API definition.
|
||||
|
||||
|
||||
Token Binding
|
||||
=============
|
||||
|
||||
Token binding refers to the practice of embedding information from external
|
||||
authentication providers (like a company's Kerberos server) inside the token
|
||||
such that a client may enforce that the token only be used in conjunction with
|
||||
that specified authentication. This is an additional security mechanism as it
|
||||
means that if a token is stolen it will not be usable without also providing
|
||||
the external authentication.
|
||||
|
||||
To activate token binding you must specify the types of authentication that
|
||||
token binding should be used for in ``keystone.conf`` e.g.:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
bind = kerberos
|
||||
|
||||
Currently only ``kerberos`` is supported.
|
||||
|
||||
To enforce checking of token binding the ``enforce_token_bind`` parameter
|
||||
should be set to one of the following modes:
|
||||
|
||||
* ``disabled`` disable token bind checking
|
||||
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
|
||||
is unknown to the server then ignore it. This is the default.
|
||||
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
|
||||
unknown to the server then this token should be rejected.
|
||||
* ``required`` enable bind checking and require that at least 1 bind mechanism
|
||||
is used for tokens.
|
||||
* named enable bind checking and require that the specified authentication
|
||||
mechanism is used. e.g.:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
enforce_token_bind = kerberos
|
||||
|
||||
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
|
||||
mechanism called ``named``.
|
||||
|
||||
Limiting list return size
|
||||
=========================
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue