keystoneauth

OpenID default scope must contain "openid" at least

Bug #1597334 reported by Alvaro Lopez on 2016-06-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystoneauth	Fix Released	Medium	Alvaro Lopez

Bug Description

The OpenID auth plugins defaults the OpenID scope to scope='profile'. However, the OpenID specification states that "openid" MUST be specified [1], regardless of requesting any other scope.

[1] https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

The plugins work, as the server behavior is unspecified, so the servers are returning a correct response, but the plugins should be fixed so that the default is scope="openid profile". This way we will be compliant with the specification, not changing the current behavior.

See original description

Tags:

Alvaro Lopez (aloga) on 2016-06-29

description:

updated

OpenStack Infra (hudson-openstack) on 2016-06-29

Changed in keystoneauth:
assignee:	nobody → Alvaro Lopez (aloga)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-04: Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/330463
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=68a7962488831bfb6cc9f72b7515a9d245fb2041
Submitter: Jenkins
Branch: master

commit 68a7962488831bfb6cc9f72b7515a9d245fb2041
Author: Alvaro Lopez Garcia <email address hidden>
Date: Thu Jun 16 11:20:14 2016 +0200

oidc: fix OpenID scope management

    The OpenID scope is something common to all the OpenID grant types,
    therefore we move the OIDC scope parameter 'scope' from the OidcPassword
    class into the base _OidcBase class, moving the option as well into the
    corresponding loader.

    Moreover, OpenID scopes are not handled properly, as the loaders have
    the option defined as "openid-scope" whereas the class constructor
    argument is named "openid".

Lastly, OpenID states that the OpenID scope MUST contain "openid" at
least, so we should include this in our defaults argument.

    Closes-Bug: #1594272
    Closes-Bug: #1597334
    Change-Id: I9a242ae93a61737d032c19830c5d89ef6237f875

Changed in keystoneauth:
status:	In Progress → Fix Released

Steve Martinelli (stevemar) on 2016-07-04

Changed in keystoneauth:
importance:	Undecided → Medium

Alvaro Lopez (aloga) on 2016-07-07

tags:

added: oidc

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-07-28: Fix included in openstack/keystoneauth 2.10.0

This issue was fixed in the openstack/keystoneauth 2.10.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.