OpenStack Identity (keystone)

"Unauthorized" error message needs more hints

Bug #1835303 reported by Ben Nemec on 2019-07-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Low	Abhishek Mahajan

Bug Description

While I was testing the oslo.limit change, I initially had my password auth options set incorrectly and the exception message I got back was: "keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication."

That's confusing since I attempted to authenticate. It would be more user-friendly if the message in this scenario said something more like "Failed to authenticate due to bad username or password." At least an indication that the failure was due to bad input data, not an attempt to do something fundamentally wrong.

Tags:

Revision history for this message

Colleen Murphy (krinkle) wrote on 2019-07-05:

The error message comes from keystone, not from keystoneauth:

https://opendev.org/openstack/keystone/src/commit/3b13b4e5e7d72c2eaef470d0f84537a279e10e43/keystone/exception.py#L281

The vague details on the server side are intentional, as there are many reasons authentication could have failed, including the user does not exist or is disabled, their project or domain does not exist or is disabled, or they're using an auth method like token, application_credential, trust, or external that failed in some other way. "bad username or password" wouldn't apply to those cases, and we don't want to get too specific about the failure since that gives more power to attackers.

However we could have keystoneauth override the message from keystone and say "Failed to authenticate" (omitting "due to...") if that is less confusing than "requires authentication".

Revision history for this message

Ben Nemec (bnemec) wrote on 2019-07-08:

"Failed to authenticate" would be an improvement, although I admit I'm generally nervous about translating exceptions that way (we have periodic bugs in oslo.db from doing it). In this case I guess it's safer since you own both sides of the translation though.

Another option would be to put some highly generic hints in the Keystone message directly. Something like "The request you have made requires authentication. Check that your authentication details are correct, and that your user/project/domain exist and are enabled." Even if it doesn't cover absolutely every case, since I realize your list is probably not exhaustive, if it could cover 90% of the situations where this might be raised that would be helpful. Having a clue as to where to look right in the error message makes for a nicer user experience, but it still doesn't provide any more details than what an attacker might get from a "What are the possible causes of a keystoneauth1.exceptions.http.Unauthorized exception" blog post. Which sort of exists[0], I guess, and basically boils down to "check your password". :-)

0: https://stackoverflow.com/questions/41548799/unauthorized-the-request-you-have-made-requires-authentication-http-401-on

Revision history for this message

Colleen Murphy (krinkle) wrote on 2019-07-29:

Adding more generic hints to the keystone message makes sense. I'll retarget this at keystone.

affects:	keystoneauth → keystone
summary:	- Unclear exception message for incorrect login details + "Unauthorized" error message needs more hints
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Low
tags:	added: low-hanging-fruit

Abhishek Mahajan (mahajan-abhishek) on 2019-09-18

Changed in keystone:
assignee:	nobody → Abhishek Mahajan (mahajan-abhishek)
assignee:	Abhishek Mahajan (mahajan-abhishek) → nobody
assignee:	nobody → Abhishek Mahajan (mahajan-abhishek)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682955

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-20:

Fix proposed to branch: master
Review: https://review.opendev.org/683259

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-20: Change abandoned on keystone (master)

Change abandoned by Abhishek Mahajan (<email address hidden>) on branch: master
Review: https://review.opendev.org/683259
Reason: Already at https://review.opendev.org/#/c/682955/

Abhishek Mahajan (mahajan-abhishek) on 2020-01-08

Changed in keystone:
assignee:	Abhishek Mahajan (mahajan-abhishek) → nobody

Colleen Murphy (krinkle) on 2020-01-08

Changed in keystone:
status:	In Progress → Triaged

Abhishek Mahajan (mahajan-abhishek) on 2020-05-11

Changed in keystone:
assignee:	nobody → Abhishek Mahajan (mahajan-abhishek)

Revision history for this message

Abhishek Mahajan (mahajan-abhishek) wrote on 2020-05-13:

Is it clear to anybody what is expected in this bug? without exposing more information to attackers.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-21:

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/682955
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.