OpenStack Identity (keystone)

oauth request token can created with a project that doesn't exist

Bug #1420120 reported by Steve Martinelli on 2015-02-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Steve Martinelli	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

An oauth request token can be created with an project that doesn't exist, there is no security risk here since when the request token is exchanged for an access token, the controller checks if the user has roles on that project.

This causes confusion for the delagator/delegatee, since the request token was created fine, leading to a poor user experience. We should check to ensure the project is created.

OpenStack Infra (hudson-openstack) on 2015-02-10

Changed in keystone:
assignee:	nobody → Steve Martinelli (stevemar)
status:	New → In Progress

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-02-18:

patch is here: https://review.openstack.org/#/c/145701/

Changed in keystone:
importance:	Undecided → Low
milestone:	none → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-23: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/145701
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee2f991923d40154a0e7ec2e324af8de6cd1ba40
Submitter: Jenkins
Branch: master

commit ee2f991923d40154a0e7ec2e324af8de6cd1ba40
Author: Steve Martinelli <email address hidden>
Date: Thu Jan 8 01:56:55 2015 -0500

Check consumer and project id before creating request token

We could save the user a lot of trouble by checking to make
sure the project and consumer being passed in are valid.

Closes-Bug: #1420120

Change-Id: I3af3ea1c52fbc9e4f05771d3e463a192aed46dbd

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Revision history for this message

keerthivasan selvaraj (keerthiv) wrote on 2016-05-26:

Hi Steve Martinelli,

Can you please help me how to get request_token in keystone OAuth 1.0 using v3.

I tried this way using curl no luck

curl -v -X POST http://172.xx.xx.x:35357/v3/OS-OAUTH1/request_token -d '{"consumer_id":"7787c7240fa44f9585bfe048e65b7e2d","requested_project_id":"5409ca785ad74463abb519223d8de3b2"}' --header 'Authorization: OAuth oauth_timestamp="1359019570",oauth_version="1.0",oauth_signature_method="HMAC-SHA1",oauth_consumer_key="58ea636fe141421388aba42593263317"' -H "Content-type: application/json"

I got error. Can you please help me regarding this issue.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.