loosen validation on matching trusted dashboard
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lin Hua Cheng |
Bug Description
In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_
origin = context[
host = urllib.
if host in CONF.federation
...
This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon).
We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards.
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
milestone: | none → liberty-1 |
tags: | added: federation |
tags: | added: security |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-1 → 8.0.0 |
Steve, I can take a stab at this for Liberty.