Token binding embeds information from an external authentication mechanism, such as a Kerberos server, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.
You configure the authentication types for a token binding in
the keystone.conf file:
[token] bind = kerberos
Currently only kerberos is
supported.
To enforce checking of token binding, set the
enforce_token_bind option to one of these
modes:
disabledDisables token bind checking.
permissiveEnables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.
strictEnables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.
requiredEnables bind checking. Requires use of at least authentication mechanism for tokens.
namedEnables bind checking. Requires use of the specified authentication mechanism for tokens:
[token] enforce_token_bind = kerberos
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
Do not set |
