oauth login silently ignores scope
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
omkar_telee |
Bug Description
OAuth authentication is always scoped within an oauth authentication.
Because it's still just a v3 authentication you can provide your own scope with a oauth request. Whatever you provide as scope to the authentication is silently ignored and your token is scoped to whatever project the oauth is scoped to.
Note: This should not be a security risk because you are always being scoped to where your authorization is. The oauth scope is being used in preference to your request scope.
I think this should fail. If you provide scope information seperate and different from your oauth scope information then this should be a bad request and you should not get a token.
I'm attaching the test script i'm using to play with oauth. You can run it with the admin credentials from devstack.
Changed in keystone: | |
assignee: | nobody → Richard (csravelar) |
Changed in keystone: | |
assignee: | Richard (csravelar) → nobody |
Changed in keystone: | |
assignee: | nobody → Waithira Kunene (kunene) |
Changed in keystone: | |
assignee: | nobody → Anthony Washington (anthony-washington) |
Changed in keystone: | |
assignee: | Anthony Washington (anthony-washington) → Annapoornima Koppad (annakoppad) |
Changed in keystone: | |
assignee: | nobody → omkar_telee (omkar-telee) |
tags: | added: fix-requires-microversion |
tags: | removed: low-hanging-fruit |
I agree, you should get a 400 error - the scope will never be honored in conjuction with OAuth (just like with trusts).