Comment 0 for bug 1532280
Revision history for this message
| Lance Bragstad (lbragstad) wrote Fernet trust token is still valid when user's domain is disabled. | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0]. But, since this is an inconsistency - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https:/