yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348820] Re: Token issued_at time changes on /v3/auth/token GET requests

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 29 Jul 2014 09:55:36 -0000
Reply-to: Bug 1348820 <1348820@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: ossa
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1348820

Title:
  Token issued_at time changes on /v3/auth/token GET requests

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in OpenStack Security Advisories:
  New

Bug description:
  Steps to recreate

  1.) Generate a v2.0
  token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf

  2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
  http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4

  Notice that the 'issued_at' time of the token has changed.

  3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
  http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt

  The 'issued_at' time of a token should not change when validating the
  token using /v3/auth/token GET api call.

  This is because the issued_at time is being overwritten on GET here:
  https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319

  This seems like it has been written strictly for POSTs? In the case of
  POST, the issued_at time needs to be generated, in the case of HEAD or
  GET, the issued_at time should already exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1348820/+subscriptions

References

[Bug 1348820] [NEW] Token issued_at time changes on /v3/auth/token GET requests
From: Lance Bragstad, 2014-07-25