Comment 11 for bug 1434034
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: Even if the user is disabled, can use the last token is validated | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Adam,
This is the issue with LDAP / Read-Only backends *and* a secondary issue with default middleware behavior:
===== Read-Only Backend ======
We don't know a user was disabled. We should check this when live-validating a token. PKI(Z) nothing we can do. The request to do a .user_is_enabled check is not unreasonable (for Federated users we obviously can't do this, but that is a separate concern wrt to the notification from IDP on user disable, this is an expected gap that we should be addressing in Liberty).
===== Keystonemiddleware w/o TRL checking (default) =====
KSM caches for ~300s, we will keep tokens valid once they've been validated. TRL is a PKI-ism, and can (is?) disabled by default with UUID since we don't have signing infrastructure.