OpenStack Identity (keystone)

  1. Bug #1873290
  2. Comment #33

Comment 33 for bug 1873290

Revision history for this message
Colleen Murphy (krinkle) wrote : Re: OAuth1 request token authorize silently ignores roles parameter

I'm attaching a patch for rocky even though it has reached EM to help distros that need to support older releases.

To mitigate this bug for older branches, I recommend disabling 'oauth1' as an authentication method by removing it from the comma-separated list in the [auth]/methods config option in keystone.conf. Alternatively, although the default policy rules for these actions are already very restrictive, you can further restrict them by disabling them completely with policy rules such as:

"identity:create_consumer": "!"
"identity:update_consumer": "!"
"identity:authorize_request_token": "!"