yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1243336] Re: Rescope in V3 for invalid/expired token should return unauthorized (returns 404 currently)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1243336@xxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Nov 2013 15:58:03 -0000
Reply-to: Bug 1243336 <1243336@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This has been previously discussed, and 404 is the preferred status code
for an invalid subject token, which must be distinguished from an
invalid X-Auth-Token. An invalid/revoked/expired X-Subject-Token CANNOT
be "considered similar to providing incorrect username or password" --
the requestor is authenticated by the X-Auth-Token, not by the X
-Subject-Token. I don't think there's any room to change status codes
here.

** Changed in: keystone
       Status: Triaged => Opinion

** Changed in: python-keystoneclient
       Status: Triaged => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1243336

Title:
  Rescope in V3 for invalid/expired token should return unauthorized
  (returns 404 currently)

Status in OpenStack Identity (Keystone):
  Opinion
Status in Python client library for Keystone:
  Opinion

Bug description:
  Token rescope operation in V3 API is currently returning "Not Found"
  (404) error for invalid or expired token input. Like other plugins, it
  should be considered as re-verification of authentication data and
  should return "Unauthorized" (401) error for this case. This can be
  considered similar to providing incorrect username or password in
  password method credentials data.

  Related code is in :
  https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/token.py#L40

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1243336/+subscriptions