yahoo-eng-team team mailing list archive

[Brant Knudson <bknudson@xxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:


If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

This is because the code to calculate the fields for a domain-scoped
token don't use the domain-scope so that information can't be used when
testing against the revocation events.

** Affects: keystone
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Brant Knudson (blk-u)

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1349597

Title:
  Domain-scoped tokens don't get revoked

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  
  If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

  This is because the code to calculate the fields for a domain-scoped
  token don't use the domain-scope so that information can't be used
  when testing against the revocation events.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1349597/+subscriptions