A few months ago, we did a write up on the new PKI Token default introduced in Grizzly Keystone.
This described the new workflow for authentication and the fact that services no longer need to constantly validate tokens against Keystone - this can be done on the service endpoint with the help of security certificates.
How this really works has been bugging me for awhile since I was confused about the concepts of encoding/decoding/encrypting/decrypting. Let's walk through it.
Note: