OpenID default scope must contain "openid" at least
Bug #1597334 reported by
Alvaro Lopez
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
Fix Released
|
Medium
|
Alvaro Lopez |
Bug Description
The OpenID auth plugins defaults the OpenID scope to scope='profile'. However, the OpenID specification states that "openid" MUST be specified [1], regardless of requesting any other scope.
[1] https:/
The plugins work, as the server behavior is unspecified, so the servers are returning a correct response, but the plugins should be fixed so that the default is scope="openid profile". This way we will be compliant with the specification, not changing the current behavior.
description: | updated |
Changed in keystoneauth: | |
assignee: | nobody → Alvaro Lopez (aloga) |
status: | New → In Progress |
Changed in keystoneauth: | |
importance: | Undecided → Medium |
tags: | added: oidc |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/330463 /git.openstack. org/cgit/ openstack/ keystoneauth/ commit/ ?id=68a79624888 31bfb6cc9f72b75 15a9d245fb2041
Committed: https:/
Submitter: Jenkins
Branch: master
commit 68a7962488831bf b6cc9f72b7515a9 d245fb2041
Author: Alvaro Lopez Garcia <email address hidden>
Date: Thu Jun 16 11:20:14 2016 +0200
oidc: fix OpenID scope management
The OpenID scope is something common to all the OpenID grant types,
therefore we move the OIDC scope parameter 'scope' from the OidcPassword
class into the base _OidcBase class, moving the option as well into the
corresponding loader.
Moreover, OpenID scopes are not handled properly, as the loaders have
the option defined as "openid-scope" whereas the class constructor
argument is named "openid".
Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.
Closes-Bug: #1594272 7d032c19830c5d8 9ef6237f875
Closes-Bug: #1597334
Change-Id: I9a242ae93a6173