)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"9782b6e7477bd8a0772b291af4b2ffb9404f2745","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a05576c4_f5724813","updated":"2022-05-30 06:35:29.000000000","message":"recheck","commit_id":"f8dc690cbcfe64798d6bff101de3472684833e0f"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"15788a251e0b109c356ff84f058cc7e2bcd0a54b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"2885b978_38f24e86","updated":"2022-07-07 11:43:55.000000000","message":"Moved token introspection API to Alternative in PS9 because token verification can be done by using /v3/auth/tokens if we can add a field to store the client certificate to its response.","commit_id":"59a93f11cdbdc0edce458bb8fb1d810a727f461a"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"066f14e8ff3e689f4c297efe2dc99e4aba8fc6e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"82b55e89_18cd4f65","updated":"2022-07-11 03:38:13.000000000","message":"Thank you for your comments.\n\nI\u0027ll update the patch later today.","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"6061319fe806508e59f42ea5d4e214223fdd4806","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"f3c03036_a739b4b0","updated":"2022-07-11 07:51:45.000000000","message":"Please kindly review the updated parts.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"533351d0_a37c6cd5","updated":"2022-07-27 08:19:40.000000000","message":"Thank you for your comments.\n\nPlease kindly find my replies and updated spec.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"87b5791ac6f272a716cdde7de2323e22decbd8d7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"80f8ff28_abd70078","updated":"2022-08-05 11:27:05.000000000","message":"To knikolla\n\nHi,\n\nPlease allow me to ask additional questions about what we discussed at the last meeting.\n \n1. You mentioned the Federation API. I understood it\u0027s just a similar example, and you didn\u0027t intend to use it for this purpose. Is that correct? \n\n2. You and dmendiza suggested requiring DN (I think it must be CN, am I correct? please see Note1) or SAN to match the username [1]. Is it possible to assume that multiple clients cannot have the same CN or SAN?\n\nNote1: The DN is something like \"CN\u003d%s,O\u003d%s,L\u003d%s,ST\u003d%s,C\u003d%s\". It\u0027s weird to be used as username.\n\n[1] https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-02-15.00.log.html#l-95","commit_id":"f8f43587b58f67c5ca673be79056fb4641ecf784"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"f8a0a415223152e315f4c7c1cdbfb118100e5935","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":12,"id":"bc53aef4_9b3f776c","in_reply_to":"80f8ff28_abd70078","updated":"2022-08-05 15:26:07.000000000","message":"1. Yes, Federation is just a similar API.\n\n2. Yes, CN is correct, or we could also use SAN.  We probably need a username + domain_name combination since usernames are only unique within their domain.  Maybe we can specify both the username and domain name somewhere in the DN?\n\nLooking at [1] it may make sense to use \"UID\u003dusername,DC\u003ddomain_name\" as part of the DN.  Then we could use those values to match the user and domain in Keystone.\n\nSince the CA is the identity provider in this case, the CA would need to ensure that it only issues DN\u003d\"...,UID\u003dusernam,DC\u003ddomain_name,...\" based on some criteria that you can define.\n\nWe\u0027ll need to document what parts of the DN are being used to match users and domains.\n\n[1] https://www.cryptosys.net/pki/manpki/pki_distnames.html","commit_id":"f8f43587b58f67c5ca673be79056fb4641ecf784"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"0ace8d370c9a97bb018ed0a82cbe6aade05463e3","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":12,"id":"9e6ae1c2_abba4698","in_reply_to":"9978b284_52b9a35c","updated":"2022-08-10 12:15:46.000000000","message":"I\u0027ve updated spec based on the previous meeting.\nWe\u0027re investigating the existing OS-FEDERATION mapping API so I\u0027ll elaborate on how we configure the mapping in our case.\n\nTo complete this spec, I also need to make the things below clear so please kindly tell me if you have an answer.\n\n1. about delegation of users\u0027 permission\nIn my understanding, OAuth2.0 clients have to be delegated roles from a specific user, however it\u0027s not possible if we register OAuth2.0 client as the keystone user. For example, it\u0027s not possible for non-admin user who is only allowed to access Tacker API to delegate it\u0027s role to a client whereas it\u0027s possible if we use credentials API and allow this user to access the credentials API. It\u0027s not a big deal while we only assume non-admin and admin users, but might be a problem when we want to use more fine-grained roles. How can we justify (or explain) this limitation?\n\n2. feasibility of diverting the existing mapping API  \nAfter briefly looking at some sources of the existing mapping API, I feel we can divert this existing API for our usecase (i.e., we don\u0027t have to build a similar mechanism from scratch). For example, we can register our mapping rule to the mapping API, and use it when authenticating an OAuth2.0 client. Does that match your thoughts?","commit_id":"f8f43587b58f67c5ca673be79056fb4641ecf784"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"c70a76801d8fbb7c1c188db820ef24a15fc16d60","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":12,"id":"9978b284_52b9a35c","in_reply_to":"bc53aef4_9b3f776c","updated":"2022-08-09 14:50:26.000000000","message":"\u003e the CA would need to ensure that it only issues DN\u003d\"...,UID\u003dusernam,DC\u003ddomain_name,...\" based on some criteria that you can define.\n\nI think we can\u0027t always enforce CA to follow the rule of Keystone. The mapping between fields of the DN and Keystone user\u0027s attributes changes depending on use cases of PKI. For example, if we have to use `project_id` but not `domain_name` to specify the users\u0027 tenant, there are several candidates of mapping such as `UID\u003dusername, OU\u003dproject_id` or `CN\u003dusername, DC\u003dproject_id`. In this sense, we have to make users change such mapping freely.\n\nIt\u0027s a little bit complicated. If we just store entire DN into credentials API as we thought at first, we don\u0027t have to think about such mapping. \n\nThe options are:\n- Use User API to store part of the DN Add the configuration of mapping between the DN and keystone user\u0027s attributes like federation API [1]\n- Use Credentials API to store entire DN (note that we can make it without any modification to Credentials API)\n\nWhich do you think better? or do you have other options?\n\n[1] https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html","commit_id":"f8f43587b58f67c5ca673be79056fb4641ecf784"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"410ec7db0eea7be4683fac919c4b49fb00c96c07","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"97057241_1f42036f","updated":"2022-09-16 17:55:54.000000000","message":"Let\u0027s move this spec to target the antelope cycle ","commit_id":"6d377f89dfc8f5a8e0860e80cd290c84db20aabc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"7258722149be6cdde79920d69503b0191fff39c7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"ceca091d_f092d22f","updated":"2022-08-26 12:30:47.000000000","message":"Specified that the mapping rules between DN and User attributes are defined by the FEDERATION API mapping.\nFixed some inappropriate explanations.\n\nPlease kindly do the final review before Z-3.","commit_id":"6d377f89dfc8f5a8e0860e80cd290c84db20aabc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"baae954ddf1e6e1c8afff08c1e3d2ce4538cfc75","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"6d778685_11669741","updated":"2022-09-20 15:46:08.000000000","message":"Changed target release to antelope","commit_id":"2d833b6eedbfe908cfad46f24a1958a3e344cdb6"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"8ca26fe86f888c5182e877c62f0543ca62fb2796","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"ea4c2e09_14ecb895","updated":"2022-10-17 03:52:15.000000000","message":"Changed the directory name to 2023.1 according to the other projects, e.g., https://github.com/openstack/nova-specs/tree/master/specs/2023.1.","commit_id":"ca99a20a8ebafc73c3f3d709599b2a5f4d47246b"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"8ffd6af5561d53d73326e5d3943ccc1e1bfe7318","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":17,"id":"31ecf417_6c29d3e7","updated":"2022-12-09 14:42:14.000000000","message":"In general looks good to me. I would like to see explicitly mentioned that the certificate validation is done by apache rather than Keystone.","commit_id":"b4c87b220277c8e7c8cd5f64a5a10df832a5fdae"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"53ba4bb71c940fa0f86b9e808cb6fe0bbe1d4a63","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":17,"id":"b923eacb_883925f7","in_reply_to":"31ecf417_6c29d3e7","updated":"2022-12-13 14:59:59.000000000","message":"Thank you for your comment.\nAdded Apache (i.e., web server) to the sequence diagram and the description and explained that they handle the certificate validation.\nI didn\u0027t write Apache in the diagram because some openstack services don\u0027t use Apache.\n\nAlso, I added an example of mapping rules.","commit_id":"b4c87b220277c8e7c8cd5f64a5a10df832a5fdae"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"499a967fa0bc864fbf33e3f13e667524fdbf032b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"fecef7ff_aaf7f098","updated":"2022-12-16 16:38:49.000000000","message":"LGTM, if any issues pop up during the implementation we can update the spec.","commit_id":"12f37d354808921834b4beb5193d95adae4aa3ad"}],"specs/keystone/2023.1/support-oauth2-mtls.rst":[{"author":{"_account_id":597,"name":"Pete Zaitcev","email":"zaitcev@kotori.zaitcev.us","username":"zaitcev"},"change_message_id":"07d02cb0dc73f1528dbb95b9dabdabab8d292cd1","unresolved":true,"context_lines":[{"line_number":219,"context_line":"When a request is sent over the mutual TLS, a client is successfully"},{"line_number":220,"context_line":"authenticated only if the client certificate is valid and the subject DN of the"},{"line_number":221,"context_line":"certificate matches the user attributes. Note that the validity of client"},{"line_number":222,"context_line":"certificate can be checked by the general process of mutual TLS. It is also"},{"line_number":223,"context_line":"noted that the mapping rules between the subject DN and user attributes can be"},{"line_number":224,"context_line":"configured by a the mapping in the OS-FEDERATION API."},{"line_number":225,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"ba12cd4b_fc3694fd","line":222,"range":{"start_line":222,"start_character":12,"end_line":222,"end_character":15},"updated":"2022-12-16 15:37:05.000000000","message":"\"is checked\" surely. not optional.","commit_id":"12f37d354808921834b4beb5193d95adae4aa3ad"},{"author":{"_account_id":597,"name":"Pete Zaitcev","email":"zaitcev@kotori.zaitcev.us","username":"zaitcev"},"change_message_id":"07d02cb0dc73f1528dbb95b9dabdabab8d292cd1","unresolved":true,"context_lines":[{"line_number":313,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":314,"context_line":"can be done by adding the thumbprint of a client certificate into the payload"},{"line_number":315,"context_line":"of the fernet token."},{"line_number":316,"context_line":""},{"line_number":317,"context_line":"Keystone Authentication and token management API"},{"line_number":318,"context_line":"------------------------------------------------"},{"line_number":319,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"910aa92a_53aced26","line":316,"updated":"2022-12-16 15:37:05.000000000","message":"Is this payload shared with anything else? What\u0027s the syntax if so?","commit_id":"12f37d354808921834b4beb5193d95adae4aa3ad"}],"specs/keystone/zed/support-oauth2-mtls.rst":[{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"f4af7ad8e3cab3ebd4170f0e979a68403ee6728a","unresolved":true,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a certificate or ``credential Id`` corresponding to"},{"line_number":224,"context_line":"the client into the payload of the fernet token."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Keystone Authentication and token management API"}],"source_content_type":"text/x-rst","patch_set":9,"id":"13a5bf1b_43466462","line":223,"range":{"start_line":223,"start_character":22,"end_line":223,"end_character":62},"updated":"2022-07-08 15:12:35.000000000","message":"Can you clarify for me: Credential Id would be the fingerprint of the certificate? Or is it that the DN will be the Credential Id?","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"066f14e8ff3e689f4c297efe2dc99e4aba8fc6e0","unresolved":true,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a certificate or ``credential Id`` corresponding to"},{"line_number":224,"context_line":"the client into the payload of the fernet token."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Keystone Authentication and token management API"}],"source_content_type":"text/x-rst","patch_set":9,"id":"a9dc6cbf_3e8a877a","line":223,"range":{"start_line":223,"start_character":22,"end_line":223,"end_character":62},"in_reply_to":"13a5bf1b_43466462","updated":"2022-07-11 03:38:13.000000000","message":"\u003e Credential Id would be the fingerprint of the certificate? Or is it that the DN will be the Credential Id?\n\nNo, I meant that credential Id can be a key to obtain DN from DB.\nAs DN is stored as a data (or blob) of Credentials [1], we can retrieve DN corresponding to a given credential Id. I\u0027ll elaborate on this in the next patch.\n\n[1] https://docs.openstack.org/api-ref/identity/v3/?expanded\u003dvalidate-and-show-information-for-token-detail,password-authentication-with-unscoped-authorization-detail,authenticating-with-an-application-credential-detail#credentials","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"1ac3d68798923eb8584efd3df722ac5c6dcb656d","unresolved":false,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a certificate or ``credential Id`` corresponding to"},{"line_number":224,"context_line":"the client into the payload of the fernet token."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Keystone Authentication and token management API"}],"source_content_type":"text/x-rst","patch_set":9,"id":"c428ef53_11519887","line":223,"range":{"start_line":223,"start_character":22,"end_line":223,"end_character":62},"in_reply_to":"54b79a76_09e085ad","updated":"2022-07-15 10:34:30.000000000","message":"Thanks, this makes sense","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"6061319fe806508e59f42ea5d4e214223fdd4806","unresolved":true,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a certificate or ``credential Id`` corresponding to"},{"line_number":224,"context_line":"the client into the payload of the fernet token."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Keystone Authentication and token management API"}],"source_content_type":"text/x-rst","patch_set":9,"id":"54b79a76_09e085ad","line":223,"range":{"start_line":223,"start_character":22,"end_line":223,"end_character":62},"in_reply_to":"a9dc6cbf_3e8a877a","updated":"2022-07-11 07:51:45.000000000","message":"Revised this line in PS10","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"f4af7ad8e3cab3ebd4170f0e979a68403ee6728a","unresolved":true,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"398f7183_02ae5d12","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"updated":"2022-07-08 15:12:35.000000000","message":"How is the middleware authenticated through mutual TLS? Does it read a header from the web server with the contents of the certificate?\n\nCould all public endpoints be authenticated through mTLS? What about internal TLS encrypted endpoints?","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"206fefdd_fdc0d967","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"in_reply_to":"023f800b_2e9b6d36","updated":"2022-07-27 08:19:40.000000000","message":"As discussed in a previous meeting, I added the description that the configuration of mutual TLS for other endpoints is out-of-scope of the present document in the PS12.","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"0e8c47f38ce2c302247f5a628f33e6ee54812080","unresolved":false,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ffa0b26f_60e118fd","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"in_reply_to":"206fefdd_fdc0d967","updated":"2022-08-02 13:27:30.000000000","message":"Ack","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"066f14e8ff3e689f4c297efe2dc99e4aba8fc6e0","unresolved":true,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"8558b012_daca626d","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"in_reply_to":"398f7183_02ae5d12","updated":"2022-07-11 03:38:13.000000000","message":"\u003e How is the middleware authenticated through mutual TLS?\n\nI thought it\u0027s possible by registering the middleware as a OAuth2.0 client as well as API clients, but on think it over, \"authenticated through the\nOAuth2.0 mutual TLS\" is not a requirement. So I\u0027ll revise it.\n\nOne thing clear to me is that if we setup mTLS on Keystone, all clients connecting to Keystone have to use mTLS even if a client uses an internal endpoint.\nThis happens because, in my understanding, flask (i.e., a server of Keystone) cannot change the settings of mTLS for each endpoint (i.e., using mTLS for access token API but NOT using it for token verification API is not possible).","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"6061319fe806508e59f42ea5d4e214223fdd4806","unresolved":true,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"8b6f0608_e1fc49c4","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"in_reply_to":"8558b012_daca626d","updated":"2022-07-11 07:51:45.000000000","message":"Revised this line in PS10","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"1ac3d68798923eb8584efd3df722ac5c6dcb656d","unresolved":true,"context_lines":[{"line_number":445,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":446,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":447,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":448,"context_line":"error response. The Keystone Middleware must be authenticated through the"},{"line_number":449,"context_line":"OAuth2.0 mutual TLS as well as the Client."},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":452,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"023f800b_2e9b6d36","line":449,"range":{"start_line":448,"start_character":20,"end_line":449,"end_character":19},"in_reply_to":"8b6f0608_e1fc49c4","updated":"2022-07-15 10:34:30.000000000","message":"What I was thinking is that the TLS termination would usually be done by the web server, not flask. Looking at the available configuration in Apache and Nginx, there is usually an option to enable Mutual TLS, like \"SSLVerifyClient require\", you also provide the CA, and you can configure headers that can be later read by the middleware (or keystone itself).\n\nWhat I wonder about, is the multiple different kinds of configurations that we want to support. TripleO for example has TLS Everywhere, where all internal endpoints are TLS terminated, but I guess this is out of scope for this implementation.\n\nI guess we can configure keystone and other services with multiple endpoints, if we want to support Mutual TLS and non-mutual TLS clients, but maybe that wouldn\u0027t be considered secure, if we use an all or nothing approach? Maybe there is just one common usecase here, that we could describe here, that we want to support, like MTLS-only, enabled for all public endpoints.","commit_id":"a9e0b95c8baf548e1d45ce5a63ff1fedd16915fb"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":53,"context_line":".. warning::"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"   In order to use mutual TLS, a client has to generate a client certificate"},{"line_number":56,"context_line":"   from its public/private key pair. The client certificate must be an X509"},{"line_number":57,"context_line":"   certificate signed by a private/public Certificate Authority (CA) whose"},{"line_number":58,"context_line":"   certificate must be available on both client and Keystone. These files"},{"line_number":59,"context_line":"   should be externally generated."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Terminology"}],"source_content_type":"text/x-rst","patch_set":10,"id":"f196733d_b4d82a65","line":58,"range":{"start_line":56,"start_character":60,"end_line":58,"end_character":60},"updated":"2022-07-22 14:42:27.000000000","message":"so this will not work with self-signed certificates?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":53,"context_line":".. warning::"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"   In order to use mutual TLS, a client has to generate a client certificate"},{"line_number":56,"context_line":"   from its public/private key pair. The client certificate must be an X509"},{"line_number":57,"context_line":"   certificate signed by a private/public Certificate Authority (CA) whose"},{"line_number":58,"context_line":"   certificate must be available on both client and Keystone. These files"},{"line_number":59,"context_line":"   should be externally generated."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Terminology"}],"source_content_type":"text/x-rst","patch_set":10,"id":"ab45c8bb_2e83778c","line":58,"range":{"start_line":56,"start_character":60,"end_line":58,"end_character":60},"in_reply_to":"f196733d_b4d82a65","updated":"2022-07-27 08:19:40.000000000","message":"Basically yes.\nI guess the thing behind this question is that RFC8705 describes a case where a self-signed certificate is used. Our use case is PKI and I\u0027ve just thought it\u0027s a little bit safer to start by only supporting PKI though it depends on use cases.\n\nIf you think it\u0027s better to support self-signed certificate, please let me know. I guess it\u0027s also not a big deal from an implementation standpoint to make.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":82,"context_line":"  seqdiag {"},{"line_number":83,"context_line":"    User; Client; \"Keystone Middleware\"; Keystone; \"OpenStack Service\";"},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"    User -\u003e Keystone [label \u003d \"POST /identity/v3/credentials\\n w/ client certificate (over mutual TLS)\"];"},{"line_number":86,"context_line":"    User \u003c-- Keystone"},{"line_number":87,"context_line":"    [label \u003d \"Response 201 Created\\n w/ client ID\"];"},{"line_number":88,"context_line":"    User -\u003e Client"}],"source_content_type":"text/x-rst","patch_set":10,"id":"27750f08_4eab145c","line":85,"range":{"start_line":85,"start_character":86,"end_line":85,"end_character":101},"updated":"2022-07-22 14:42:27.000000000","message":"how will this be performed over mTLs if the server doesn\u0027t trust the clients certificate yet? I don\u0027t think this step requires mTLS.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":82,"context_line":"  seqdiag {"},{"line_number":83,"context_line":"    User; Client; \"Keystone Middleware\"; Keystone; \"OpenStack Service\";"},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"    User -\u003e Keystone [label \u003d \"POST /identity/v3/credentials\\n w/ client certificate (over mutual TLS)\"];"},{"line_number":86,"context_line":"    User \u003c-- Keystone"},{"line_number":87,"context_line":"    [label \u003d \"Response 201 Created\\n w/ client ID\"];"},{"line_number":88,"context_line":"    User -\u003e Client"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3966e8ea_2c583d59","line":85,"range":{"start_line":85,"start_character":86,"end_line":85,"end_character":101},"in_reply_to":"27750f08_4eab145c","updated":"2022-07-27 08:19:40.000000000","message":"\u003e how will this be performed over mTLs if the server doesn\u0027t trust the clients certificate yet? \n\nTo be sure, it doesn\u0027t mean authenticating the User with its certificate. The User authenticate with a fernet token (password), but the server also verifies the trust chain of the User\u0027s certificate and the possession of a private key corresponding to the certificate. As long as Keystone and the User use the same root CA certificate, it works.\n\n\u003e I don\u0027t think this step requires mTLS.\n\nAs you said, this step doesn\u0027t require mTLS even though it works.\nThe reason I wrote \"(over mutual TLS)\" is that I don\u0027t think it\u0027s possible to disable mTLS only on \u0027/v3/credentials\u0027. If we configure mTLS in Keystone, clients have to use mTLS for all Identity APIs (e.g., `/v3/auth/tokens`, `v3/credentials`, etc.). If you know it\u0027s wrong, please tell me.\n\nMaybe such limitation shouldn\u0027t appear on here as it\u0027s confusing. I\u0027ll once remove it in the PS11. If you disagree with my decision, please kindly leave a new comment.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":88,"context_line":"    User -\u003e Client"},{"line_number":89,"context_line":"    [label \u003d \"set client ID and client certificate\"];"},{"line_number":90,"context_line":"    Client -\u003e Keystone"},{"line_number":91,"context_line":"    [label \u003d \"POST\\n /identity/v3/OS-OAUTH2/token\\n w/ client ID + client certificate (over mutual TLS)\", note \u003d \"A client certificates is retrieved from a request sent over mutual TLS\"];"},{"line_number":92,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":93,"context_line":"    [label \u003d \"Validate trust chain of the client certificate\"];"},{"line_number":94,"context_line":"    Keystone \u003c-- Keystone"}],"source_content_type":"text/x-rst","patch_set":10,"id":"c514d595_099bfc86","line":91,"range":{"start_line":91,"start_character":14,"end_line":91,"end_character":85},"updated":"2022-07-22 14:42:27.000000000","message":"will the credential be limited to a project the same way that application credentials are?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":88,"context_line":"    User -\u003e Client"},{"line_number":89,"context_line":"    [label \u003d \"set client ID and client certificate\"];"},{"line_number":90,"context_line":"    Client -\u003e Keystone"},{"line_number":91,"context_line":"    [label \u003d \"POST\\n /identity/v3/OS-OAUTH2/token\\n w/ client ID + client certificate (over mutual TLS)\", note \u003d \"A client certificates is retrieved from a request sent over mutual TLS\"];"},{"line_number":92,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":93,"context_line":"    [label \u003d \"Validate trust chain of the client certificate\"];"},{"line_number":94,"context_line":"    Keystone \u003c-- Keystone"}],"source_content_type":"text/x-rst","patch_set":10,"id":"9cfcd2f2_baf5f03a","line":91,"range":{"start_line":91,"start_character":14,"end_line":91,"end_character":85},"in_reply_to":"c514d595_099bfc86","updated":"2022-07-27 08:19:40.000000000","message":"yes.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":92,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":93,"context_line":"    [label \u003d \"Validate trust chain of the client certificate\"];"},{"line_number":94,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":95,"context_line":"    [label \u003d \"Issue access token and bind client certificate thumbprint to the access token\"];"},{"line_number":96,"context_line":"    Client \u003c-- Keystone"},{"line_number":97,"context_line":"    [label \u003d \"Response 200 OK\\n w/ access token\"];"},{"line_number":98,"context_line":"    Client -\u003e \"Keystone Middleware\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"0d7a0c70_8ced3d11","line":95,"range":{"start_line":95,"start_character":37,"end_line":95,"end_character":91},"updated":"2022-07-22 14:42:27.000000000","message":"The RFC makes binding optional. Is your intention to make it required?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":92,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":93,"context_line":"    [label \u003d \"Validate trust chain of the client certificate\"];"},{"line_number":94,"context_line":"    Keystone \u003c-- Keystone"},{"line_number":95,"context_line":"    [label \u003d \"Issue access token and bind client certificate thumbprint to the access token\"];"},{"line_number":96,"context_line":"    Client \u003c-- Keystone"},{"line_number":97,"context_line":"    [label \u003d \"Response 200 OK\\n w/ access token\"];"},{"line_number":98,"context_line":"    Client -\u003e \"Keystone Middleware\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"10e65923_0c9bcc14","line":95,"range":{"start_line":95,"start_character":37,"end_line":95,"end_character":91},"in_reply_to":"0d7a0c70_8ced3d11","updated":"2022-07-27 08:19:40.000000000","message":"Yes.\nAs you and RFC8705 Sec. 1 mentioned, we can separate Mutual-TLS certificate-bound access tokens and Mutual-TLS client authentication, but we think it doesn\u0027t much make sense for the following reason.\n\nIf we want to disable (or ignore) the binding, we can simply use OAuth2.0 keystonemiddleware in Yoga [1]. This middleware performs the token validation for OAuth2.0 token in the Authorization header, but doesn\u0027t check the thumbprint of the client certificate. \n\nI know it may not completely meet the RFC8705, but actually whether or not verifying a thumbprint bound to an access token is a protected resource (API server) matter as described in RFC8705 Sec. 3.2 [2].\n\n[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/830737\n[2] https://datatracker.ietf.org/doc/html/rfc8705#section-3.2","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":"#. Client requests a new access token to Keystone"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"   A Client authenticates with Keystone and requests a new access token at the"},{"line_number":127,"context_line":"   same time. For the authentication, the Client uses its client certificate"},{"line_number":128,"context_line":"   as a credential."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"#. Keystone verifies the validity of the client certificate"}],"source_content_type":"text/x-rst","patch_set":10,"id":"a332d5db_84c5dc65","line":127,"range":{"start_line":126,"start_character":72,"end_line":127,"end_character":12},"updated":"2022-07-22 14:42:27.000000000","message":"at the same time as what?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":"#. Client requests a new access token to Keystone"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"   A Client authenticates with Keystone and requests a new access token at the"},{"line_number":127,"context_line":"   same time. For the authentication, the Client uses its client certificate"},{"line_number":128,"context_line":"   as a credential."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"#. Keystone verifies the validity of the client certificate"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e58cb2ec_1d2ee5a2","line":127,"range":{"start_line":126,"start_character":72,"end_line":127,"end_character":12},"in_reply_to":"a332d5db_84c5dc65","updated":"2022-07-27 08:19:40.000000000","message":"It\u0027s not necessary. Removed in the PS11.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a client certificate into the payload of the fernet"},{"line_number":224,"context_line":"token or adding a `credential Id` which corresponds to the client. If"},{"line_number":225,"context_line":"`credential Id` is used, Keystone will obtain DN from the `Credential`` table"},{"line_number":226,"context_line":"by using `credential Id` as a key."},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"8ee51925_976db609","line":224,"range":{"start_line":223,"start_character":12,"end_line":224,"end_character":5},"updated":"2022-07-22 14:42:27.000000000","message":"so just to confirm, this will be the thumbprint to validate the binding?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"If the authentication is successful, Keystone binds the client certificate to"},{"line_number":222,"context_line":"the access token. Assuming the fernet token is used as an access token, this"},{"line_number":223,"context_line":"can be done by adding DN of a client certificate into the payload of the fernet"},{"line_number":224,"context_line":"token or adding a `credential Id` which corresponds to the client. If"},{"line_number":225,"context_line":"`credential Id` is used, Keystone will obtain DN from the `Credential`` table"},{"line_number":226,"context_line":"by using `credential Id` as a key."},{"line_number":227,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"e2b7adb0_4659ab37","line":224,"range":{"start_line":223,"start_character":12,"end_line":224,"end_character":5},"in_reply_to":"8ee51925_976db609","updated":"2022-07-27 08:19:40.000000000","message":"It\u0027s a thumbprint. \nFixed in the PS11\n\nAlso, removed the sentence after `or` (i.e., `or credential Id...`) as thumbprint is small enough to be store in the fernet token.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":447,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":448,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":449,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":450,"context_line":"error response. The Keystone Middleware may have to also support mutual TLS in"},{"line_number":451,"context_line":"the case where Keystone can\u0027t disable mutual TLS for specific API."},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":454,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3744e4f9_bd1b8909","line":451,"range":{"start_line":450,"start_character":16,"end_line":451,"end_character":66},"updated":"2022-07-22 14:42:27.000000000","message":"Can you please elaborate on this?","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":447,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":448,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":449,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":450,"context_line":"error response. The Keystone Middleware may have to also support mutual TLS in"},{"line_number":451,"context_line":"the case where Keystone can\u0027t disable mutual TLS for specific API."},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":454,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":10,"id":"52ac4f9d_bdeb20f1","line":451,"range":{"start_line":450,"start_character":16,"end_line":451,"end_character":66},"in_reply_to":"3744e4f9_bd1b8909","updated":"2022-07-27 08:19:40.000000000","message":"This is what I tried to explain in the above comment [1].\nI made this line a note and explain what I wrote in [1].\n\n[1] https://review.opendev.org/c/openstack/keystone-specs/+/843765/comment/27750f08_4eab145c/","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"c6d3f477f3a2db55b8b862aa6338ccacba0e315f","unresolved":true,"context_lines":[{"line_number":447,"context_line":"contained in an API request. Keystone returns the metadata corresponding to the"},{"line_number":448,"context_line":"token, such as the thumbprint of client certificate, the service catalog, user"},{"line_number":449,"context_line":"Id, token validity, etc, if the credential is valid. Otherwise, it returns an"},{"line_number":450,"context_line":"error response. The Keystone Middleware may have to also support mutual TLS in"},{"line_number":451,"context_line":"the case where Keystone can\u0027t disable mutual TLS for specific API."},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"The Keystone receiving this API request has to obtain the token metadata"},{"line_number":454,"context_line":"through the two steps:"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e749c766_548ac4cf","line":451,"range":{"start_line":450,"start_character":16,"end_line":451,"end_character":66},"in_reply_to":"52ac4f9d_bdeb20f1","updated":"2022-07-27 08:45:44.000000000","message":"Sorry, on second thought, I feel writing this in the spec is inappropriate, so I removed it in PS12. Please see the comment [1].\nI guess there some ways to break this limitation [2], such as adding additional endpoints. Maybe xek pointed out this option, if my understanding is correct.\n\n[1] https://review.opendev.org/c/openstack/keystone-specs/+/843765/comment/27750f08_4eab145c/\n[2] https://datatracker.ietf.org/doc/html/rfc8705#section-5","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":472,"context_line":"determined by the value of the ``active`` field in a response, i.e., a token is"},{"line_number":473,"context_line":"valid if the value is ``true``, and invalid if the value is ``false``."},{"line_number":474,"context_line":""},{"line_number":475,"context_line":"Another alternative is to use JWT including the thumbprint of a client"},{"line_number":476,"context_line":"certificate as a field (See `RFC8705: 3.1 JWT Certificate Thumbprint"},{"line_number":477,"context_line":"Confirmation Method` [#oauth2_mtls_jwt]_). In this case, we can omit the token"},{"line_number":478,"context_line":"introspection API."},{"line_number":479,"context_line":""},{"line_number":480,"context_line":"Creation of Certificate-bound Access Tokens"},{"line_number":481,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"82354e18_1f02a371","line":478,"range":{"start_line":475,"start_character":0,"end_line":478,"end_character":18},"updated":"2022-07-22 14:42:27.000000000","message":"We can also add the thumbprint to fernet tokens.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":472,"context_line":"determined by the value of the ``active`` field in a response, i.e., a token is"},{"line_number":473,"context_line":"valid if the value is ``true``, and invalid if the value is ``false``."},{"line_number":474,"context_line":""},{"line_number":475,"context_line":"Another alternative is to use JWT including the thumbprint of a client"},{"line_number":476,"context_line":"certificate as a field (See `RFC8705: 3.1 JWT Certificate Thumbprint"},{"line_number":477,"context_line":"Confirmation Method` [#oauth2_mtls_jwt]_). In this case, we can omit the token"},{"line_number":478,"context_line":"introspection API."},{"line_number":479,"context_line":""},{"line_number":480,"context_line":"Creation of Certificate-bound Access Tokens"},{"line_number":481,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"35ba3ee1_1d8ae82a","line":478,"range":{"start_line":475,"start_character":0,"end_line":478,"end_character":18},"in_reply_to":"82354e18_1f02a371","updated":"2022-07-27 08:19:40.000000000","message":"I fixed the description about fernet tokens two comments above.\n\nAs you know, JWT (i.e., JWS in Keystone) is not encrypted whereas fernet token is encrypted. The way to validate them can be different. in JWT, token metadata can be retrieved from a token directly while, in fernet token, token metadata has to be obtained via communication with keystone to decrypt the token.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":488,"context_line":"Method`)."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":"If it\u0027s not possible to bind a client certificate to token by using the tokens,"},{"line_number":491,"context_line":"a new table to manage relationship between tokens and certificates needs to be"},{"line_number":492,"context_line":"added to Keystone DB.  An example of the DB table is shown below."},{"line_number":493,"context_line":""},{"line_number":494,"context_line":"access_token_oauth2::"},{"line_number":495,"context_line":"    `id` uuid"}],"source_content_type":"text/x-rst","patch_set":10,"id":"9e02fd5d_ba9d6bc9","line":492,"range":{"start_line":491,"start_character":0,"end_line":492,"end_character":21},"updated":"2022-07-22 14:42:27.000000000","message":"As discussed in the previous meeting, I would prefer not to do this.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":488,"context_line":"Method`)."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":"If it\u0027s not possible to bind a client certificate to token by using the tokens,"},{"line_number":491,"context_line":"a new table to manage relationship between tokens and certificates needs to be"},{"line_number":492,"context_line":"added to Keystone DB.  An example of the DB table is shown below."},{"line_number":493,"context_line":""},{"line_number":494,"context_line":"access_token_oauth2::"},{"line_number":495,"context_line":"    `id` uuid"}],"source_content_type":"text/x-rst","patch_set":10,"id":"76bb81a8_8987ea54","line":492,"range":{"start_line":491,"start_character":0,"end_line":492,"end_character":21},"in_reply_to":"9e02fd5d_ba9d6bc9","updated":"2022-07-27 08:19:40.000000000","message":"Removed this alternative in the PS11.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3164622630963d444c12a021b088c29e2de3dd3","unresolved":true,"context_lines":[{"line_number":612,"context_line":"Performance Impact"},{"line_number":613,"context_line":"------------------"},{"line_number":614,"context_line":""},{"line_number":615,"context_line":"None"},{"line_number":616,"context_line":""},{"line_number":617,"context_line":"Other Deployer Impact"},{"line_number":618,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"bcd734d1_7683e8f4","line":615,"range":{"start_line":615,"start_character":0,"end_line":615,"end_character":4},"updated":"2022-07-22 14:42:27.000000000","message":"In the case of adding fields to a token, this will slightly increase the token size, so there will be a slight performance impact.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"},{"author":{"_account_id":33455,"name":"Hiromu Asahina","email":"hiromu.a5a@gmail.com","username":"h_asahina"},"change_message_id":"e9ae6e6eefc04c2b87c31a110db4b68952693f58","unresolved":true,"context_lines":[{"line_number":612,"context_line":"Performance Impact"},{"line_number":613,"context_line":"------------------"},{"line_number":614,"context_line":""},{"line_number":615,"context_line":"None"},{"line_number":616,"context_line":""},{"line_number":617,"context_line":"Other Deployer Impact"},{"line_number":618,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3dfee989_45f5e23e","line":615,"range":{"start_line":615,"start_character":0,"end_line":615,"end_character":4},"in_reply_to":"bcd734d1_7683e8f4","updated":"2022-07-27 08:19:40.000000000","message":"Described the performance impact in the PS11.","commit_id":"2f8cec5e3718e94baae8aeeac6aa67a20c250acc"}]}