Support sub-second accuracy in Fernet's creation timestamp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
The fernet token provider has sub-second format, but it is currently truncated to .000000Z. This is because the library (pyca/cryptography [0]) that keystone relies on for generating fernet tokens uses integer timestamps instead of floats, which loses sub-second accuracy. We should find a way to support sub-second accuracy in Fernet's creation timestamp so that we don't hit token revocation edge cases, like the ones documented here - https:/
This will likely have to be a coordinated effort between the cryptography development community and the maintainers of the Fernet specification [1].
This bug is to track that we include the corresponding fix (via version bump of cryptography) for keystone.
[0] https:/
[1] https:/
tags: | added: fernet |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
status: | New → Won't Fix |
As discussed at the midcycle, the direction we are moving is towards no subsecond support anywhere instead.