Title: Token revocation does not revoke cached tokens
Reporter: Alexei Kornienko (Mirantis)
Products: python-keystoneclient
Affects: All versions up to 0.6.0
Description:
Alexei Kornienko from Mirantis reported a vulnerability in Keystone auth_token middleware (shipped in python-keystoneclient). Once an user is authenticated to a service, issuing a token revocation for this user won't prevent him from using that service with the same token until it is expired. Only Keystone middleware setups using auth_token with PKI token and cache enabled are affected.
Draft impact description #1:
Title: Token revocation does not revoke cached tokens keystoneclient
Reporter: Alexei Kornienko (Mirantis)
Products: python-
Affects: All versions up to 0.6.0
Description: keystoneclient) . Once an user is authenticated to a service, issuing a token revocation for this user won't prevent him from using that service with the same token until it is expired. Only Keystone middleware setups using auth_token with PKI token and cache enabled are affected.
Alexei Kornienko from Mirantis reported a vulnerability in Keystone auth_token middleware (shipped in python-