Validate identity providers during token validation
Previously, it was possible to validate a federated keystone token
after the identity provider associated by that token was deleted,
which is a security concern.
This commit does two things. First it makes it so that the token
cache is invalidated when identity providers are deleted. Second,
it validates the identity provider in the token data and ensures it
actually exists in the system before considering the token valid.
Reviewed: https:/ /review. openstack. org/531915 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=f463bdccf13 0ad5e6bd2adb5fb a785455477de00
Committed: https:/
Submitter: Zuul
Branch: master
commit f463bdccf130ad5 e6bd2adb5fba785 455477de00
Author: Lance Bragstad <email address hidden>
Date: Mon Jan 8 22:03:50 2018 +0000
Validate identity providers during token validation
Previously, it was possible to validate a federated keystone token
after the identity provider associated by that token was deleted,
which is a security concern.
This commit does two things. First it makes it so that the token
cache is invalidated when identity providers are deleted. Second,
it validates the identity provider in the token data and ensures it
actually exists in the system before considering the token valid.
Change-Id: I57491c5a7d657b 25cc436452acd7f cc4cd285839
Closes-Bug: 1291157