idp deletion should trigger token revocation
Bug #1291157 reported by
Steve Martinelli
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
When a federation IdP is deleted, the tokens that were issued (and still active) and associated with the IdP should be deleted. To prevent unwarranted access. The fix should delete any tokens that are associated with the idp, upon deletion (and possibly update, too).
Changed in keystone: | |
importance: | Undecided → High |
milestone: | none → icehouse-rc1 |
summary: |
- idp deletion should trigger token deletion + idp deletion should trigger token revocation |
Changed in keystone: | |
status: | New → Triaged |
Changed in python-keystoneclient: | |
milestone: | 0.7.0 → none |
Changed in keystone: | |
assignee: | nobody → Navid Pustchi (npustchi) |
Changed in python-keystoneclient: | |
assignee: | nobody → Navid Pustchi (npustchi) |
Changed in keystone: | |
assignee: | Navid Pustchi (npustchi) → nobody |
Changed in python-keystoneclient: | |
assignee: | Navid Pustchi (npustchi) → nobody |
Changed in keystone: | |
assignee: | nobody → Paweł Pamuła (pawel-pamula) |
Changed in python-keystoneclient: | |
assignee: | nobody → Paweł Pamuła (pawel-pamula) |
Changed in keystone: | |
assignee: | Paweł Pamuła (pawel-pamula) → Marek Denis (marek-denis) |
tags: | added: federation |
Changed in python-keystoneclient: | |
importance: | High → Medium |
Changed in keystone: | |
importance: | High → Medium |
tags: | added: revoke |
Changed in keystone: | |
assignee: | nobody → Sean Perry (sean-perry-a) |
status: | Confirmed → In Progress |
Changed in keystone: | |
assignee: | nobody → Anthony Washington (anthony-washington) |
tags: | added: office-hours |
Changed in keystone: | |
milestone: | none → queens-rc1 |
To post a comment you must log in.
As discussed in today's keystone meeting, keystoneclient. middleware. auth_token can track valid IdPs on GET /v3/OS- FEDERATION/ identity_ providers and compare them to tokens to test for validity.