OAuth Identity token gives Forbidden
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Undecided
|
Unassigned | ||
python-openstackclient |
New
|
Undecided
|
Unassigned |
Bug Description
I have enabled OAuth1 in Keystone Kilo, then followed the flow described here:
https:/
Created a consumer, created a request token, authorized the request token, exchanged it for an access token and finally obtained Identity token out of the access token, which looks like:
HTTP/1.1 201 Created
Date: Thu, 04 Feb 2016 00:20:13 GMT
Server: Apache/2.4.10 (Linux/SUSE)
Content-Length: 7982
X-Subject-Token: 5bae545dc72d499
Vary: X-Auth-Token
x-openstack-
Content-Type: application/json
{"token": {"methods": ["oauth1"], "roles": [{"id": "9fe2ff9ee4384b
Then when I try to use the token for example to list servers:
openstack --os-token 5bae545dc72d499
I get a surprising error:
Forbidden: You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-34f9098e-
After some debugging I found out that my call gets rejected at:
def token_authentic
try:
# Do not allow tokens used for delegation to
# create another token, or perform any changes of
# state in Keystone. To do so is to invite elevation of
# privilege attacks
if token_ref.
raise exception.
What am I missing here? My token definitely is oauth_scoped and how am I supposed to use this Identity token?
Changed in keystone: | |
milestone: | none → mitaka-3 |
Changed in keystone: | |
milestone: | mitaka-3 → none |
@bogdan, are you able to repeat the problem, but add --help to the openstackclient command? I'm wondering if openstackclient is attempting to re-authenticate instead of just using the token.