← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1179615] Re: [OSSA 2013-014] auth_token middleware neglects to check expiry of signed token

 

OSSA 2013-014

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179615

Title:
  [OSSA 2013-014] auth_token middleware neglects to check expiry of
  signed token

Status in OpenStack Identity (Keystone):
  Invalid
Status in Keystone folsom series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released
Status in Python client library for Keystone:
  Fix Committed

Bug description:
  Unless I'm mistaken the keystoneclient auth_token middleware seems to
  be neglecting to check the expiry of signed tokens.

  Instead, it only checks if the proposed token has been explicitly
  revoked:

    https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1047

  Surely the expiration timestamp needs to be checked also and the token
  rejected if expired.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179615/+subscriptions