Comment 0 for bug 1179615

Revision history for this message
Eoghan Glynn (eglynn) wrote : auth_token middleware neglects to check expiry of signed token

Unless I'm mistaken the keystoneclient auth_token middleware seems to neglecting to check the expiry of signed tokens.

Instead, it only checks if the proposed token has been explicitly revoked:

  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1047

Surely the expiration timestamp needs to be checked also and the token rejected if expired.