"Unauthorized" error message needs more hints

Bug #1835303 reported by Ben Nemec on 2019-07-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Unassigned

Bug Description

While I was testing the oslo.limit change, I initially had my password auth options set incorrectly and the exception message I got back was: "keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication."

That's confusing since I attempted to authenticate. It would be more user-friendly if the message in this scenario said something more like "Failed to authenticate due to bad username or password." At least an indication that the failure was due to bad input data, not an attempt to do something fundamentally wrong.

Colleen Murphy (krinkle) wrote :

The error message comes from keystone, not from keystoneauth:

https://opendev.org/openstack/keystone/src/commit/3b13b4e5e7d72c2eaef470d0f84537a279e10e43/keystone/exception.py#L281

The vague details on the server side are intentional, as there are many reasons authentication could have failed, including the user does not exist or is disabled, their project or domain does not exist or is disabled, or they're using an auth method like token, application_credential, trust, or external that failed in some other way. "bad username or password" wouldn't apply to those cases, and we don't want to get too specific about the failure since that gives more power to attackers.

However we could have keystoneauth override the message from keystone and say "Failed to authenticate" (omitting "due to...") if that is less confusing than "requires authentication".

Ben Nemec (bnemec) wrote :

"Failed to authenticate" would be an improvement, although I admit I'm generally nervous about translating exceptions that way (we have periodic bugs in oslo.db from doing it). In this case I guess it's safer since you own both sides of the translation though.

Another option would be to put some highly generic hints in the Keystone message directly. Something like "The request you have made requires authentication. Check that your authentication details are correct, and that your user/project/domain exist and are enabled." Even if it doesn't cover absolutely every case, since I realize your list is probably not exhaustive, if it could cover 90% of the situations where this might be raised that would be helpful. Having a clue as to where to look right in the error message makes for a nicer user experience, but it still doesn't provide any more details than what an attacker might get from a "What are the possible causes of a keystoneauth1.exceptions.http.Unauthorized exception" blog post. Which sort of exists[0], I guess, and basically boils down to "check your password". :-)

0: https://stackoverflow.com/questions/41548799/unauthorized-the-request-you-have-made-requires-authentication-http-401-on

Colleen Murphy (krinkle) wrote :

Adding more generic hints to the keystone message makes sense. I'll retarget this at keystone.

affects: keystoneauth → keystone
summary: - Unclear exception message for incorrect login details
+ "Unauthorized" error message needs more hints
Changed in keystone:
status: New → Triaged
importance: Undecided → Low
tags: added: low-hanging-fruit
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers