<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=Keystone%2FTempUserProvisioning%2FBlueprint</id>
		<title>Keystone/TempUserProvisioning/Blueprint - Revision history</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=Keystone%2FTempUserProvisioning%2FBlueprint"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;action=history"/>
		<updated>2026-07-14T11:44:27Z</updated>
		<subtitle>Revision history for this page on the wiki</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22905&amp;oldid=prev</id>
		<title>Kwss: /* API changes */</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22905&amp;oldid=prev"/>
				<updated>2013-05-17T12:57:32Z</updated>
		
		<summary type="html">&lt;p&gt;‎&lt;span dir=&quot;auto&quot;&gt;&lt;span class=&quot;autocomment&quot;&gt;API changes&lt;/span&gt;&lt;/span&gt;&lt;/p&gt;
&lt;table class=&quot;diff diff-contentalign-left&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;tr style='vertical-align: top;' lang='en'&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;Revision as of 12:57, 17 May 2013&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l36&quot; &gt;Line 36:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 36:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The following API changes are needed&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The following API changes are needed&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;−&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;# Addition of user ID as an optional parameter to the call that creates a new user entry.&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot;&gt;&amp;#160;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#Addition of a new API call to delete all expired user entries&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#Addition of a new API call to delete all expired user entries&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;These will be made to the API documentation&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;These will be made to the API documentation&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;

&lt;!-- diff cache key openstack_wiki:diff:version:1.11a:oldid:22904:newid:22905 --&gt;
&lt;/table&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22904&amp;oldid=prev</id>
		<title>Kwss at 12:56, 17 May 2013</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22904&amp;oldid=prev"/>
				<updated>2013-05-17T12:56:59Z</updated>
		
		<summary type="html">&lt;p&gt;&lt;/p&gt;
&lt;table class=&quot;diff diff-contentalign-left&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;col class='diff-marker' /&gt;
				&lt;col class='diff-content' /&gt;
				&lt;tr style='vertical-align: top;' lang='en'&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan='2' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;Revision as of 12:56, 17 May 2013&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l33&quot; &gt;Line 33:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 33:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;==== Handling token expiry ====&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;==== Handling token expiry ====&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;−&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;==== Specifying User IDs ====&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot;&gt;&amp;#160;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;−&lt;/td&gt;&lt;td style=&quot;color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;In order to maintain functionality for temporary users on systems which user User IDs in access control lists we have modified the user creation process to allow a user ID to passed in with the user entity, if this parameter is present, it will be used instead of the standard randomly generated ID.&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot;&gt;&amp;#160;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;==== API changes ====&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;==== API changes ====&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The following API changes are needed&lt;/div&gt;&lt;/td&gt;&lt;td class='diff-marker'&gt;&amp;#160;&lt;/td&gt;&lt;td style=&quot;background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The following API changes are needed&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;

&lt;!-- diff cache key openstack_wiki:diff:version:1.11a:oldid:22795:newid:22904 --&gt;
&lt;/table&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22795&amp;oldid=prev</id>
		<title>Kwss: Created page with &quot;=== Temporary User Provisioning in Keystone === There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, ...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22795&amp;oldid=prev"/>
				<updated>2013-05-16T15:26:55Z</updated>
		
		<summary type="html">&lt;p&gt;Created page with &amp;quot;=== Temporary User Provisioning in Keystone === There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, ...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;=== Temporary User Provisioning in Keystone ===&lt;br /&gt;
There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, guest accounts and fixed term contract employees, support for short term alliances such as Virtual Organisation, or autoprovisioning of federated users. We propose adding an expiry time to user entities, and to support this, a function to delete all expired entries. In order to support backwards compatibility, the system should still allow for users to be created without an expiry time, which then denotes a permanent user that can only be deleted by an administrator.&lt;br /&gt;
The current structure of the user entity is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{&lt;br /&gt;
    &amp;quot;user&amp;quot;: { &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;     &lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
The proposed new structure of the user entry is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{     &lt;br /&gt;
    &amp;quot;user&amp;quot;: {         &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;  &lt;br /&gt;
        “expiry_time”: “2013-05-27T18:30:59.999999Z”&lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Handling token expiry ====&lt;br /&gt;
When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;br /&gt;
==== Specifying User IDs ====&lt;br /&gt;
In order to maintain functionality for temporary users on systems which user User IDs in access control lists we have modified the user creation process to allow a user ID to passed in with the user entity, if this parameter is present, it will be used instead of the standard randomly generated ID.&lt;br /&gt;
==== API changes ====&lt;br /&gt;
The following API changes are needed&lt;br /&gt;
#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;br /&gt;
# Addition of user ID as an optional parameter to the call that creates a new user entry.&lt;br /&gt;
#Addition of a new API call to delete all expired user entries&lt;br /&gt;
These will be made to the API documentation&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	</feed>