Two nonce collided - OpenStackID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-org |
Fix Released
|
Undecided
|
Jimmy McArthur |
Bug Description
Openid.
Value: A string 255 characters or less in length, that MUST be unique to this particular successful authentication response. The nonce MUST start with the current time on the server, and MAY contain additional ASCII characters in the range 33-126 inclusive (printable non-whitespace characters), as necessary to make each response unique. The date and time MUST be formatted as specified in section 5.6 of [RFC3339], with the following restrictions:
All times must be in the UTC timezone, indicated with a "Z".
No fractional seconds are allowed
For example: 2005-05-
these are the offending entries on table oid_nonces
https:/
https:/
The following fix was applied and released shortly after the initial bug report:
used a stronger ramdon string generation algo (Zend lib) /review. openstack. org/#/c/ 163814/
https:/