OpenStack Identity (keystone)

/v3/auth/tokens cannot be used for issuing unscoped tokens during federated authn

Bug #1296348 reported by Marek Denis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Marek Denis
OpenStack Identity (keystone) 2014.1 "icehouse"
openstack-api-site
Fix Released
Undecided
Marek Denis

Bug Description

URL /v3/auth/tokens cannot be used when issuing unscoped federated tokens, as such URL must be configured as protected in the mod_shib configuration. Thus, a dedicated URL must be able to run federated authentication. Also, as usually during federated authentication initial data used by the client is lost (due to many HTTP redirections between SP and IdP) it's advised for clients to access URL with IdP and protocol specified in the URL.

Marek Denis (marek-denis)
Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/82375

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph)
Changed in keystone:
milestone: none → icehouse-rc1
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → High
Revision history for this message
Marek Denis (marek-denis) wrote :

Identity-API fix propsed at: https://review.openstack.org/82532

Marek Denis (marek-denis)
Changed in openstack-api-site:
assignee: nobody → Marek Denis (marek-denis)
assignee: Marek Denis (marek-denis) → nobody
assignee: nobody → Marek Denis (marek-denis)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to identity-api (master)

Reviewed: https://review.openstack.org/82532
Committed: https://git.openstack.org/cgit/openstack/identity-api/commit/?id=cd9f137d5a572aebdf3d91d5c887f11c7e191c67
Submitter: Jenkins
Branch: master

commit cd9f137d5a572aebdf3d91d5c887f11c7e191c67
Author: Marek Denis <email address hidden>
Date: Mon Mar 24 17:12:54 2014 +0100

    Add dedicated URL for federated authentication.

    Describe new URL for federated authentication
    ``/v3/OS-FEDERATION/identity_providers/{identity_provider}/
    protocols/{protocol}/auth`` and available HTTP methods.

    Change-Id: Ic25e726c9c146050575b68c29ed3c6c8dab27016
    Closes-Bug: #1296348

Changed in openstack-api-site:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/82375
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=983d8aac2cb52e180d3fbacb163699976c809ec5
Submitter: Jenkins
Branch: master

commit 983d8aac2cb52e180d3fbacb163699976c809ec5
Author: Marek Denis <email address hidden>
Date: Sun Mar 23 19:10:20 2014 +0100

    Add dedicated URL for issuing unscoped federation tokens.

    Add URL /v3/OS-FEDERATION/identity_providers/{identity_providers}/
    protocols/{protocols}/auth that can be later used as a protected
    endpoint in mod_shib configuration.
    Client should be able to access this URL with a HTTP GET and POST
    methods, passing the information about the identity provider as well
    as protocol in the URL.

    Change-Id: Ib6c6bc761f73844e1fc5fd7c606c7a5573077b6b
    Closes-Bug: #1296348

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.