Revocation events catching too many tokens
Bug #1568674 reported by
Adam Young
This bug report is a duplicate of:
Bug #1511775: Revoking a role revokes the unscoped token for a user.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
We've seen an effect where setting the dfefault token handler to Fenet, and depending on Revocation events breaks several tests. These tests are supposed to track that a tokne comes back as invalid. However, what actually happens is the admin users token is invalid, returning a 401 instead of a 404.
Putting a 1 second delay between, for example, the delete role assignment event and the token validation causese the validation to properly return the 404.
It looks like the revocation tree is somehow matching the admin token in its check.
To post a comment you must log in.
Hi Adam,
could you write down the steps to reproduce and the version you use to explain it further.