revocation list should not be a protected resource
Bug #1211602 reported by
Morgan Fainberg
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned | ||
Bug Description
The Revocation List resources should not be protected. The Revocation list is akin to a CRL and likely should be available for public consumption as a CRL would be.
Resources are:
v3: /auth/tokens/
v2: /tokens/revoked
| Changed in keystone: | |
| assignee: | nobody → Adam Young (ayoung) |
Revision history for this message
| Adam Young (ayoung) wrote | #1 |
| Changed in keystone: | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
Revision history for this message
| Dolph Mathews (dolph) wrote | #2 |
Revision history for this message
| Dolph Mathews (dolph) wrote | #3 |
| Changed in keystone: | |
| assignee: | Adam Young (ayoung) → nobody |
| Changed in keystone: | |
| assignee: | nobody → Juan Antonio Osorio Robles (juan-osorio-robles) |
| Changed in keystone: | |
| assignee: | Juan Antonio Osorio Robles (juan-osorio-robles) → nobody |
| Changed in keystone: | |
| status: | Confirmed → Won't Fix |
To post a comment you must log in.
Yes, but to expose it in its current form, it will leak tokens that, while revoked, might not yet be identified as such by a service. There will be a window in which a revoked token will be usable, and this open a security vulnerability.
We are goint to redo the revocation in Icehouse timeframe.