OpenStack Identity (keystone)

idp deletion should trigger token revocation

Bug #1291157 reported by Steve Martinelli on 2014-03-12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) queens-rc1

Bug Description

When a federation IdP is deleted, the tokens that were issued (and still active) and associated with the IdP should be deleted. To prevent unwarranted access. The fix should delete any tokens that are associated with the idp, upon deletion (and possibly update, too).

Tags:

Steve Martinelli (stevemar) on 2014-03-12

Changed in keystone:
importance:	Undecided → High
milestone:	none → icehouse-rc1

Dolph Mathews (dolph) on 2014-03-12

summary:	- idp deletion should trigger token deletion + idp deletion should trigger token revocation
Changed in keystone:
status:	New → Triaged

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-03-18:

As discussed in today's keystone meeting, keystoneclient.middleware.auth_token can track valid IdPs on GET /v3/OS-FEDERATION/identity_providers and compare them to tokens to test for validity.

Changed in python-keystoneclient:
status:	New → Triaged
importance:	Undecided → High
Changed in keystone:
milestone:	icehouse-rc1 → next
Changed in python-keystoneclient:
milestone:	none → 0.7.0

Dolph Mathews (dolph) on 2014-03-24

Changed in python-keystoneclient:
milestone:	0.7.0 → none

Navid Pustchi (npustchi) on 2014-05-29

Changed in keystone:
assignee:	nobody → Navid Pustchi (npustchi)
Changed in python-keystoneclient:
assignee:	nobody → Navid Pustchi (npustchi)

Revision history for this message

Victor Silva (victorsilva) wrote on 2014-10-17:

For anyone who tries to tackle this in the future, @rodrigods, @raildo, @tellesnobrega and I gave it a try and this is where we got:

As discussed on #keystone, this seems to be fairly easy to solve for UUID tokens, and should be done on the server (keystone), as indicated by @ayoung.

For PKI tokens, however, we might still need to do some more work elsewhere. The validation step in keystonemiddleware doesn't have access to the entire token, just its id, and the same approach of simply double checking a token's IdP against the list of valid IdPs won't work.

There is an ongoing discussion about things that might help, with mentions to revocation events, decreasing the lifespan of tokens and fixing up mappings between IdP and domains. Whoever solves this should watch out for these changes and figure out another approach!

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-10-20:

The IdP ID was included in federated tokens specifically to support IdP IDs appearing in revocation events (and being able to match the two together in keystonemiddleware.auth_token). I don't see a need for an alternative solution (with or without regard to UUID vs PKI).

Steve Martinelli (stevemar) on 2015-06-16

Changed in keystone:
assignee:	Navid Pustchi (npustchi) → nobody
Changed in python-keystoneclient:
assignee:	Navid Pustchi (npustchi) → nobody

Marek Denis (marek-denis) on 2015-06-30

Changed in keystone:
assignee:	nobody → Paweł Pamuła (pawel-pamula)
Changed in python-keystoneclient:
assignee:	nobody → Paweł Pamuła (pawel-pamula)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-07: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210456

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

David Chadwick (d-w-chadwick) wrote on 2015-08-07:

I fully understand why IDP deletion should delete/revoke tokens, but why should an update to the IDP trigger the same thing? E.g. suppose the SAML meta data for an IDP is updated. This should not mean that users tokens are invalidated. e.g. key update is a perfectly normal event as keys have a natural life span

Revision history for this message

Marek Denis (marek-denis) wrote on 2015-08-08:

metadata would be upgraded in apache module, so there is no direct link with revocation events.
Speaking of updating, token should be invalidated only when the idp is set to disabled. Other than that, there are configuration changes, but as David pointed out, the IdP is still deemed enabled.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-12:

Fix proposed to branch: master
Review: https://review.openstack.org/212047

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-12: Change abandoned on keystone (master)

Change abandoned by Paweł Pamuła (<email address hidden>) on branch: master
Review: https://review.openstack.org/212047
Reason: Duplicate change.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-14: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/213104

OpenStack Infra (hudson-openstack) on 2015-08-28

Changed in keystone:
assignee:	Paweł Pamuła (pawel-pamula) → Marek Denis (marek-denis)

Dolph Mathews (dolph) on 2015-08-28

tags:

added: federation

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-12-01:

#10

unassigning due to inactivity and failing patch sets, also this doesn't affect keystoneclient

Changed in python-keystoneclient:
status:	Triaged → Invalid
Changed in keystone:
status:	In Progress → Confirmed
assignee:	Marek Denis (marek-denis) → nobody
Changed in python-keystoneclient:
assignee:	Paweł Pamuła (pawel-pamula) → nobody
Changed in keystone:
milestone:	next → none

Steve Martinelli (stevemar) on 2016-01-28

Changed in python-keystoneclient:
importance:	High → Medium
Changed in keystone:
importance:	High → Medium

Steve Martinelli (stevemar) on 2016-02-22

tags:

added: revoke

OpenStack Infra (hudson-openstack) on 2016-03-09

Changed in keystone:
assignee:	nobody → Sean Perry (sean-perry-a)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10: Change abandoned on keystone (master)

#11

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Review: https://review.openstack.org/210456
Reason: This change has not seen love in quite a number of months. Abandoning. It can be restored if someone would like to take another stab at it.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-08-01:

#12

unassigning due to inactivity

Changed in keystone:
assignee:	Sean Perry (sean-perry-a) → nobody
status:	In Progress → Confirmed
no longer affects:	python-keystoneclient

Ron De Rose (ronald-de-rose) on 2017-01-23

Changed in keystone:
assignee:	nobody → Anthony Washington (anthony-washington)

Revision history for this message

Anthony Washington (anthony-washington) wrote on 2017-01-26:

#14

https://review.openstack.org/#/c/414720/29 -- Fixed issue.

Changed in keystone:
status:	Confirmed → Invalid
assignee:	Anthony Washington (anthony-washington) → nobody

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-01-27:

#15

I'm not sure https://review.openstack.org/#/c/414720/29 complete fixes the issue. I don't think that patch (list federated attributes for users) adds a revocation event of any kind when an Identity Provider is deleted.

There are a couple proposed solutions that have been abandon that we can pick and try to move forward through [0].

[0] https://review.openstack.org/210456

Changed in keystone:
status:	Invalid → Confirmed

Revision history for this message

Steve Martinelli (stevemar) wrote on 2017-01-27:

#16

@Lance, i think the referenced patch was incorrect, https://review.openstack.org/#/c/415906/ may have fixed the issue.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-01-27:

#17

Aha - I read that as https://review.openstack.org/#/c/414720/ (federated attributes for user) as fixing the issue. https://review.openstack.org/#/c/415906/ should have a different impact on this bug.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-10-17:

#18

I was able to recreate this using master, so the bug is still present. Pushing a patch to expose the behavior.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-17: Fix proposed to keystone (master)

#19

Fix proposed to branch: master
Review: https://review.openstack.org/512872

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Confirmed → In Progress

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-10-17:

#20

this patch exposes the issue https://review.openstack.org/#/c/512872/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-18: Fix merged to keystone (master)

#21

Reviewed: https://review.openstack.org/512872
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8f2273a54e5349b5e7f94924f54297bb9b0164fe
Submitter: Zuul
Branch: master

commit 8f2273a54e5349b5e7f94924f54297bb9b0164fe
Author: Lance Bragstad <email address hidden>
Date: Tue Oct 17 21:41:21 2017 +0000

Deleting an identity provider doesn't invalidate tokens

This commit exposes a bug where it's possible to continue using a
federated token even after the identity provider is deleted.

Change-Id: Id19ff4f7823bdc2b078f27f9dc544f7a5ff9ea99
Partial-Bug: 1291157

Lance Bragstad (lbragstad) on 2017-11-21

tags:

added: office-hours

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-08: Fix proposed to keystone (master)

#22

Fix proposed to branch: master
Review: https://review.openstack.org/531915

Colleen Murphy (krinkle) on 2018-01-24

Changed in keystone:
milestone:	none → queens-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-01: Change abandoned on keystone (master)

#23

Change abandoned by Kristi Nikolla (<email address hidden>) on branch: master
Review: https://review.openstack.org/210456
Reason: Superseded by https://review.openstack.org/#/c/531915/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-07: Fix merged to keystone (master)

#24

Reviewed: https://review.openstack.org/531915
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f463bdccf130ad5e6bd2adb5fba785455477de00
Submitter: Zuul
Branch: master

commit f463bdccf130ad5e6bd2adb5fba785455477de00
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 8 22:03:50 2018 +0000

Validate identity providers during token validation

    Previously, it was possible to validate a federated keystone token
    after the identity provider associated by that token was deleted,
    which is a security concern.

    This commit does two things. First it makes it so that the token
    cache is invalidated when identity providers are deleted. Second,
    it validates the identity provider in the token data and ensures it
    actually exists in the system before considering the token valid.

Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839
Closes-Bug: 1291157

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix included in openstack/keystone 13.0.0.0rc1

#25

This issue was fixed in the openstack/keystone 13.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-15: Change abandoned on keystone (master)

#26

Change abandoned by Colleen Murphy (<email address hidden>) on branch: master
Review: https://review.openstack.org/213104
Reason: This bug was fixed via https://review.openstack.org/531915 , so I am going to administratively abandon this patch. Feel free to restore if you think closing this is an error.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.