federated login fails after user is removed from group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Eric Brown | ||
Mitaka |
Fix Released
|
Medium
|
Eric Brown | ||
Newton |
Fix Released
|
Medium
|
Eric Brown |
Bug Description
A user part of a group in auth0 tries to login in using the mapping below just fine
[
{
"local": [
{
}
},
{
},
}
],
"remote": [
{
},
{
}
]
}
]
Once the user is removed from the group in auth0 and tries to login :
Expected Result:
Failed to log on to horizon as federation user using OpenID Connect protocol and got 401 code:
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Actual Result:
Got 500 instead of 401
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
error in keystone-all.logs:
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
2016-09-30 19:32:25.549 23311 ERROR keystone.
summary: |
- 500 when a user logins in using federation + federated login fails after user is removed from group |
tags: | added: federation |
Changed in keystone: | |
assignee: | nobody → Eric Brown (ericwb) |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → ocata-3 |
Looks like this is blowing up here - https:/ /github. com/openstack/ keystone/ blob/cd23e776b7 631d2f7b9465ef2 9789fd354f7d66a /keystone/ federation/ utils.py# L615-L616
One way we could possibly fix this is by adding some validation to the _transform() method, making sure the identity_ values[ 'groups' ] is actually a list.