Two nonce collided - OpenStackID

Bug #1431496 reported by Jimmy McArthur
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-org
Fix Released
Undecided
Jimmy McArthur

Bug Description

Openid.response_nonce
Value: A string 255 characters or less in length, that MUST be unique to this particular successful authentication response. The nonce MUST start with the current time on the server, and MAY contain additional ASCII characters in the range 33-126 inclusive (printable non-whitespace characters), as necessary to make each response unique. The date and time MUST be formatted as specified in section 5.6 of [RFC3339], with the following restrictions:

All times must be in the UTC timezone, indicated with a "Z".
No fractional seconds are allowed
For example: 2005-05-15T17:11:51ZUNIQUE
these are the offending entries on table oid_nonces
https://openstackid.org/accounts/openid2-1426152871-55015da78cfd
https://openstackid.org/accounts/openid2-1426153018-55015e3a844d

Revision history for this message
Jimmy McArthur (jimmy-l) wrote :

The following fix was applied and released shortly after the initial bug report:

used a stronger ramdon string generation algo (Zend lib)
https://review.openstack.org/#/c/163814/

Changed in openstack-org:
assignee: nobody → Jimmy McArthur (jimmy-l)
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstackid (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164203

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstackid (master)

Reviewed: https://review.openstack.org/164203
Committed: https://git.openstack.org/cgit/openstack-infra/openstackid/commit/?id=02218a989d6a33f49ed9b142f172f685168160fb
Submitter: Jenkins
Branch: master

commit 02218a989d6a33f49ed9b142f172f685168160fb
Author: Sebastian Marcet <email address hidden>
Date: Fri Mar 13 11:42:19 2015 -0300

    Fix on NONCE collision

    Now Algorithm uses REDIS cache to ensure uniqueness of
    each emitted NONCE (OpendID/OAUTH2).

    Change-Id: I0b47d47a8e68274f1b89d86e9b3e84bc6ff999eb
    Closes-Bug: #1431496

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.