When using service tokens and kerberos, the REMOTE_USER will be the
service user, and hence the token bind confirmation will always fail to
validate the client user's token, making it impossible to use token
binding with service tokens. This patch adds a test to expose the issue
and fixes the problem by only validating the token binding for the
service token when both tokens are in the request.
Reviewed: https:/ /review. openstack. org/304400 /git.openstack. org/cgit/ openstack/ keystonemiddlew are/commit/ ?id=5ba835f3e14 5e7ec3e71beabaf 8711244159dc37
Committed: https:/
Submitter: Jenkins
Branch: master
commit 5ba835f3e145e7e c3e71beabaf8711 244159dc37
Author: Colleen Murphy <email address hidden>
Date: Mon Apr 11 19:13:56 2016 -0700
Only confirm token binding on one token
When using service tokens and kerberos, the REMOTE_USER will be the
service user, and hence the token bind confirmation will always fail to
validate the client user's token, making it impossible to use token
binding with service tokens. This patch adds a test to expose the issue
and fixes the problem by only validating the token binding for the
service token when both tokens are in the request.
Change-Id: I7ba2283e8e58b8 9f1e42bc738c7e7 7284321e3a5
Closes-bug: #1413433