V3 Identity API: 'Methods' on auth needs better documentation
Bug #1208280 reported by
justinsb
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
V3 adds a list of methods to the auth request. This could use some extra specification:
What happens if the method list is omitted, but e.g. password data is provided?
What happens if two methods result in different outcomes? Do the methods have to be tried in order and then 'first success returns'?
I think supporting multiple methods in one call is going to be incredibly difficult to get right. What is the motivation here? Is this supposed to support multi-factor auth?
tags: | added: documentation |
Changed in keystone: | |
assignee: | nobody → Navid Pustchi (npustchi) |
Changed in keystone: | |
assignee: | Navid Pustchi (npustchi) → nobody |
Changed in keystone: | |
assignee: | nobody → tarantoool (tarantoool) |
Changed in keystone: | |
assignee: | tarantoool (tarantoool) → nobody |
tags: | added: api-ref |
tags: | added: office-hours |
tags: | added: oauth reviewed-bobcat |
To post a comment you must log in.
I completely agree. The best existing documentation that I'm aware of is here (see the "methods" attribute):
https:/ /github. com/openstack/ identity- api/blob/ master/ openstack- identity- api/v3/ src/markdown/ identity- api-v3. md#tokens
> What happens if the method list is omitted, but e.g. password data is provided?
I would expect a 400 Bad Request, as I expect "methods" to be a required object in the request. However, it doesn't appear to be documented that way. And yes, it's completely redundant with the methods that are actually presented.
> What happens if two methods result in different outcomes?
I'm not sure this is defined at the API level (this is arguably a concern for the implementation?) but I would expect a 401.
> Do the methods have to be tried in order and then 'first success returns'?
Again, I don't think this is defined at the API level, but in this case, I think it should be. All authentication methods should be validated and fail fast.
> I think supporting multiple methods in one call is going to be incredibly difficult to get right.
Agree!
> What is the motivation here? Is this supposed to support multi-factor auth?
Yes, "methods" is explicitly intended to support multi-factor authentication.
In terms of a "bug," I'm marking this as 'wishlist' but it should be relatively high priority work to clearly define these behaviors.