OpenStack Identity (keystone)

More user-friendly websso unauthorized

Bug #1828783 reported by Enol Fernández
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned
OpenStack Identity (keystone)
Won't Fix
Undecided
Unassigned

Bug Description

Whenever trying to login with horizon with federated identity, if the user is correctly authenticated at the IdP but not authorized by Keystone (mapping failed), the user just gets a json error message:

{"error":
  {
    "message": "The request you have made requires authentication.",
    "code": 401,
    "title": "Unauthorized"
  }
}

which is not very user-friendly.

Would it be possible to catch this error by Horizon/Keystone so user gets a nicer error message?

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I added keystone as affected projects. Horizon team now has nobody who is familiar with federated identity and no bug like this can be resolved without keystone team support.

Revision history for this message
Colleen Murphy (krinkle) wrote :

The vague error message from keystone is intentional. We can't give more details about the cause of the failed authentication or authorization issue without exposing information an attacker could use to target the system.

If you are in a non-production test environment, you can set [DEFAULT]/insecure_debug to true in keystone which will provide proper error messages and allow you to debug your mapping while you are setting it up, but you must disable it before moving to production for the above reasons.

Changed in keystone:
status: New → Won't Fix
Revision history for this message
Akihiro Motoki (amotoki) wrote :

This is not a horizon issue. Marking as Invalid.

Changed in horizon:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.