Federated identity login does not prevent disabling account due to inactivity
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
On keystone configured with OIDC federated login and disable_
From a review of the source, it appears there are 2 cases where keystone updates last_active_at in the database.
The first is authenticating with a password: https:/
The second is when a federated (e.g. OIDC) login happens for an ephemeral user: https:/
We use federated users but we map them to existing local keystone users in the default domain - so they're not ephemeral.
To confirm, I switched our mapping to ephemeral. With mapping set to ephemeral, logging into OIDC does update the last_active_at field, but it creates a second user account in a separate domain, and this is not our use case.
Relevant part of the docs: https:/ /docs.openstack .org/keystone/ ocata/security_ compliance. html#disabling- inactive- users
> PCI-DSS 8.1.4 requires that inactive user accounts be removed or disabled within 90 days
> This above example means that users that have not authenticated (inactive) for the past 90 days
> will be automatically disabled. Users can be re-enabled by explicitly setting the enable user
> attribute via the API.
Difficult to build a workaround to find why an account is inactive because the last_active_at field is only stored in the database. it is explicitly hidden from API objects, including unit tests to ensure it does not appear: https:/ /github. com/openstack/ keystone/ blob/07abf2fa4d 5c2bc5dc1c77d70 0ac3589d1169d3f /keystone/ tests/unit/ test_v3_ identity. py#L297- L303.
Without digging into internals, we can't readily tell the difference between an account disabled due to this bug or one disabled administratively