Federated domain is reported when validating a federated token

Bug #1754048 reported by Kristi Nikolla on 2018-03-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Kristi Nikolla

Bug Description

Prior to introducing per idp domains, all federated users lived in the Federated domain. That is not the case anymore but Keystone keeps reporting that federated users are part of that domain rather their per-idp domains.

Token validation: http://paste.openstack.org/show/693652/

Lance Bragstad (lbragstad) wrote :

I noticed this when doing some refactoring of the token provider API recently. I agree that we should get the token provide up-to-speed by populating the identity provider's domain in the token response, instead of the cookie-cutter Federated domain.

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Lance Bragstad (lbragstad) wrote :

This was technically found in the Queens release and probably true for older releases that use federation. I don't think this is something we need to fix for Rocky.

Fix proposed to branch: master
Review: https://review.openstack.org/651614

Changed in keystone:
assignee: nobody → Kristi Nikolla (knikolla)
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/653068

Reviewed: https://review.opendev.org/653068
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2be944fb89f94a10d7105b2e072eeab5582c5a7
Submitter: Zuul
Branch: master

commit c2be944fb89f94a10d7105b2e072eeab5582c5a7
Author: Kristi Nikolla <email address hidden>
Date: Tue Apr 16 14:11:36 2019 -0400

    Report correct domain in federated user token

    Regardless of what domain the user was in, the domain reported in
    the token would be hardcoded to 'Federated' (regardless of the
    federated_domain_name config option).

    This patch removes the places where the domain was overwritten,
    and allows the correct domain to flow to the rendered token.
    It also updates the tests where it was being checked for
    the 'Federated' domain.

    Change-Id: Idad4e077c488d87f75172664fb519232eb78e292
    Closes-Bug: 1754048

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/651614
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d78ac78395e05bbcce6674d7150e8ec25c3a558e
Submitter: Zuul
Branch: master

commit d78ac78395e05bbcce6674d7150e8ec25c3a558e
Author: Kristi Nikolla <email address hidden>
Date: Wed Apr 10 13:19:57 2019 -0400

    Deprecate [federation] federated_domain_name

    Prior to introducing per idp domains, all ephemeral users lived
    in the Federated domain. That is not the case anymore, since they
    now live in the domain of the idp.

    Change-Id: Ife501adf7b122d2c987e132dbfafe0717760c1bb
    Partial-Bug: 1754048
    Partial-Bug: 1829454

This issue was fixed in the openstack/keystone release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers