Logging out of horizon does not invalidate IdP session
Bug #1515825 reported by
Haneef Ali
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
Won't Fix
|
Low
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Steps to reproduce
1) Configure openid connect to use gmail
2) Configure horizon to use websso
3) Login via horizon using openid as IDP
4) Gmail login screen will appear, you enter credentials and then you will be logged in
4) Do some thing
5) Logout of horizion
-- Do one more login
6) Login via horizon using open id as IDP (same as step 3)
7) Gmail login screen doesn't appear and horizon logs in directly ( step 4) doesn't happen
Basically when you logout of horizon, the session you had with GMAIL is not invalidated. So after a person has logged out, another person can login without entering credentials
This is true for AFDS too.
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public |
Changed in horizon: | |
status: | New → Invalid |
Changed in keystone: | |
importance: | Undecided → Low |
description: | updated |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.