Federated identity login does not prevent disabling account due to inactivity
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
Bug Description
On keystone configured with OIDC federated login and disable_
From a review of the source, it appears there are 2 cases where keystone updates last_active_at in the database.
The first is authenticating with a password: https:/
The second is when a federated (e.g. OIDC) login happens for an ephemeral user: https:/
We use federated users but we map them to existing local keystone users in the default domain - so they're not ephemeral.
To confirm, I switched our mapping to ephemeral. With mapping set to ephemeral, logging into OIDC does update the last_active_at field, but it creates a second user account in a separate domain, and this is not our use case.
| Daniel Leehr (danleehr) wrote | #1 |
| Walter (wdoekes) wrote | #2 |
| Daniel Leehr (danleehr) wrote | #3 |
Relevant part of the docs: https:/
> PCI-DSS 8.1.4 requires that inactive user accounts be removed or disabled within 90 days
> This above example means that users that have not authenticated (inactive) for the past 90 days
> will be automatically disabled. Users can be re-enabled by explicitly setting the enable user
> attribute via the API.
Difficult to build a workaround to find why an account is inactive because the last_active_at field is only stored in the database. it is explicitly hidden from API objects, including unit tests to ensure it does not appear: https:/
Without digging into internals, we can't readily tell the difference between an account disabled due to this bug or one disabled administratively