OpenStack Identity (keystone)

Fernet token response has wrong methods

Bug #1430062 reported by Haneef Ali on 2015-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

If you validate fernet token, the token response has 2 methods. Since the token is obtained using the "password" method, the response should only have "password" method

ex - token response

"expires_at": "2015-03-14T03:06:39Z",
        "extras": {},
        "issued_at": "2015-03-09T23:06:39Z",
        "methods": [
            "password",
            "token"
        ],

Tags:

Dolph Mathews (dolph) on 2015-03-10

tags:	added: fernet
Changed in keystone:
importance:	Undecided → Medium
milestone:	none → kilo-3
status:	New → Triaged

Satyanarayana Patibandla (satya-patibandla) on 2015-03-10

Changed in keystone:
assignee:	nobody → Satyanarayana Patibandla (satya-patibandla)

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-10:

I'm guessing we're going to have to encode a tuple of auth methods into each Fernet token payload. Assuming our auth method names we need to handle are well known values, it would be a waste to store the entire method names as strings, so I'd suggest trying mapping byte values to the method names in an enumeration.

A fix for this should also be based on (at least) https://review.openstack.org/#/c/160993/

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-12:

I was working on this earlier today from a previous discussion. I wasn't aware there was a bug open for this. I can link my fix to this bug, but if there is another fix being worked, don't hesitate to incorporate it.

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Satyanarayana Patibandla (satya-patibandla) → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-12:

Review proposed for fixing this issue:

https://review.openstack.org/#/c/163601/

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/163601
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1053433acfd655397c811bfe87f45749e786a89c
Submitter: Jenkins
Branch: master

commit 1053433acfd655397c811bfe87f45749e786a89c
Author: Lance Bragstad <email address hidden>
Date: Wed Mar 11 15:37:00 2015 -0500

Allow methods to be carried in Fernet tokens.

    Previously, Fernet tokens assumed the authentication method in validation. This
    change makes it so that methods is passed in the token as an integer and
    reformatted on validation.

Closes-Bug: 1430062
Change-Id: I2e07dd18c303a1ed98770e8b6d484d9f41b04c3b

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.