Comment 58 for bug 1490804
Revision history for this message
| Brant Knudson (blk-u) wrote Re: PKI Token Revocation Bypass | #58 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The issue with validating fields in the token is that a PKI token could be changed into a PKIZ token and then the hash wouldn't match. So we'd have to have some way for the auth_token middleware to know that the identity server is issuing PKI or PKIZ tokens, either a new auth_token config option or keystone rest api or change to the revocation list response to also indicate the token format.
I'll look into also having keystone also store the audit id in the revocation list. We have audit IDs in tokens going back to juno, and v2 tokens have audit_ids, too. So should be a pretty easy change.
Changing auth_token to also check the revocation list for the audit_ids should be easy, too.