Comment 16 for bug 1179615
Revision history for this message
| Eoghan Glynn (eglynn) wrote Re: auth_token middleware neglects to check expiry of signed token | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@dolph
> On description: s/as long as the user wasn't disabled/as long as the token wasn't otherwise revoked/
That brings up interesting point.
If I'm reading the keystone code correctly, only *non-expired* revoked tokens are returned from Driver.
https:/
So a token that has been both revoked *and* expired would not be reported as revoked (presumably the assumption here is that the token would fall in any case on the expiry-check hurdle, so no need to pollute the reported revoked list with really old tokens).
IIUC this makes the vulnerability a tad worse, as the effect of revocation is reversed if the token is re-used post-expiry.