OpenStack Identity supports customizable token providers. This is specified
[token] section of the configuration file. The token provider
controls the token construction, validation, and revocation operations.
You can register your own token provider by configuring the following property:
More commonly, you can use this option to change the token provider to one of the ones built in. Alternatively, you can use it to configure your own token provider.
provider- token provider driver. Defaults to
fernet. Implemented by
keystone.token.providers.fernet.Provider. This is the entry point for the token provider in the
Below is the detailed list of the token formats supported by keystone.:
fernettokens do not need to be persisted at all, but require that you run
keystone-manage fernet_setup(also see the
Fernet tokens are bearer tokens. They must be protected from unnecessary disclosure to prevent unauthorized access.
jwstokens do not need to be persisted at all, but require that you configure an asymmetric key pair to sign and validate tokens. The key pair can be generated using
keystone-manage create_jws_keypairor it can be generated out-of-band manually so long as it is compatible with the JWT
ES256Elliptic Curve Digital Signature Algorithm (ECDSA) using a P-256 curve and a SHA-256 hash algorithm.
JWS tokens are bearer tokens. They must be protected from unnecessary disclosure to prevent unauthorized access.