oauth login silently ignores scope

Bug #1579659 reported by Jamie Lennox on 2016-05-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
omkar_telee

Bug Description

OAuth authentication is always scoped within an oauth authentication.

Because it's still just a v3 authentication you can provide your own scope with a oauth request. Whatever you provide as scope to the authentication is silently ignored and your token is scoped to whatever project the oauth is scoped to.

Note: This should not be a security risk because you are always being scoped to where your authorization is. The oauth scope is being used in preference to your request scope.

I think this should fail. If you provide scope information seperate and different from your oauth scope information then this should be a bad request and you should not get a token.

I'm attaching the test script i'm using to play with oauth. You can run it with the admin credentials from devstack.

Jamie Lennox (jamielennox) wrote :
Dolph Mathews (dolph) wrote :

I agree, you should get a 400 error - the scope will never be honored in conjuction with OAuth (just like with trusts).

Changed in keystone:
importance: Undecided → Medium
tags: added: oauth1
Changed in keystone:
status: New → Triaged
tags: added: low-hanging-fruit
Richard (csravelar) on 2016-07-15
Changed in keystone:
assignee: nobody → Richard (csravelar)
Richard (csravelar) on 2016-07-25
Changed in keystone:
assignee: Richard (csravelar) → nobody
Waithira Kunene (kunene) on 2016-09-20
Changed in keystone:
assignee: nobody → Waithira Kunene (kunene)
David Stanek (dstanek) wrote :

Unassigned due to inactivity.

Changed in keystone:
assignee: Waithira Kunene (kunene) → nobody
Changed in keystone:
assignee: nobody → Anthony Washington (anthony-washington)
Changed in keystone:
assignee: Anthony Washington (anthony-washington) → Annapoornima Koppad (annakoppad)
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Annapoornima Koppad (annakoppad) → nobody
Changed in keystone:
assignee: nobody → omkar_telee (omkar-telee)
Colleen Murphy (krinkle) wrote :

This would be an API breaking change. I don't think we can accept this until we implement microversions or decide we want a v4.

tags: added: fix-requires-microversion
Colleen Murphy (krinkle) on 2018-10-29
tags: removed: low-hanging-fruit
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments