OpenStack Identity (keystone)

oauth login silently ignores scope

Bug #1579659 reported by Jamie Lennox on 2016-05-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Medium	omkar_telee

Bug Description

OAuth authentication is always scoped within an oauth authentication.

Because it's still just a v3 authentication you can provide your own scope with a oauth request. Whatever you provide as scope to the authentication is silently ignored and your token is scoped to whatever project the oauth is scoped to.

Note: This should not be a security risk because you are always being scoped to where your authorization is. The oauth scope is being used in preference to your request scope.

I think this should fail. If you provide scope information seperate and different from your oauth scope information then this should be a bad request and you should not get a token.

I'm attaching the test script i'm using to play with oauth. You can run it with the admin credentials from devstack.

Tags:

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2016-05-09:

oauthtest.py Edit (2.0 KiB, text/x-python)

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-07-06:

I agree, you should get a 400 error - the scope will never be honored in conjuction with OAuth (just like with trusts).

Changed in keystone:
importance:	Undecided → Medium
tags:	added: oauth1
Changed in keystone:
status:	New → Triaged
tags:	added: low-hanging-fruit

Richard (csravelar) on 2016-07-15

Changed in keystone:
assignee:	nobody → Richard (csravelar)

Richard (csravelar) on 2016-07-25

Changed in keystone:
assignee:	Richard (csravelar) → nobody

Waithira Kunene (kunene) on 2016-09-20

Changed in keystone:
assignee:	nobody → Waithira Kunene (kunene)

Revision history for this message

David Stanek (dstanek) wrote on 2017-01-23:

Unassigned due to inactivity.

Changed in keystone:
assignee:	Waithira Kunene (kunene) → nobody

Ron De Rose (ronald-de-rose) on 2017-01-23

Changed in keystone:
assignee:	nobody → Anthony Washington (anthony-washington)

Annapoornima Koppad (annakoppad) on 2017-01-29

Changed in keystone:
assignee:	Anthony Washington (anthony-washington) → Annapoornima Koppad (annakoppad)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-02:

Automatically unassigning due to inactivity.

Changed in keystone:
assignee:	Annapoornima Koppad (annakoppad) → nobody

omkar_telee (omkar-telee) on 2017-10-03

Changed in keystone:
assignee:	nobody → omkar_telee (omkar-telee)

Revision history for this message

Colleen Murphy (krinkle) wrote on 2018-01-27:

This would be an API breaking change. I don't think we can accept this until we implement microversions or decide we want a v4.

Lance Bragstad (lbragstad) on 2018-04-06

tags:

added: fix-requires-microversion

Colleen Murphy (krinkle) on 2018-10-29

tags:

removed: low-hanging-fruit

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

oauthtest.py Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.