Comment 20 for bug 1129713
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Validation of PKI tokens bypasses revocation check | #20 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
ttx: using UUID tokens implicitly enables online verification. A PKI token will attempt to be verified offline.
So to require online verification, you can have keystone start issuing UUID tokens:
token_format = UUID
+1 for impact description.
Adam: in folsom, the following code exposes the specific reason for auth failure back to the client:
+ raise exceptions.
+ 'Token does not belong to specified tenant.')
In grizzly, the details of the failure are suppressed unless you're running in debug mode (so this code would be fine in grizzly). For the folsom patch, this needs to be simplified a bit:
+ raise exceptions.