We already support some mechanisms for plugging in authentication methods, but we need to evolve the keystone architecture to enable deployers and cloud providers to use their chosen set of authn/authz. This is not just about plugging things into the back of keystone, but needs to take into account how tokens might be validated (e.g. we do PKI today, but how would we cleanly enable some other standard token format?)
Goals for session: - Agree proposal for how we split the authentication & authorization in terms of API, laying the groundwork for us to expand the supported set of technologies - Agree how alternative authn/z and their token generation fits into the above structure - Agree where and how plugin points will be provided for such alternatives, including within auth_token middleware - Show an example proposal for OAuth (Authorization)with OpenID Connect (Authentication) that match the above.
