yahoo-eng-team team mailing list archive

[Steve Martinelli <stevemar@xxxxxxxxxx>]

Public bug reported:

An oauth request token can be created with an project that doesn't
exist, there is no security risk here since when the request token is
exchanged for an access token,  the controller checks if the user has
roles on that project.

This causes confusion for the delagator/delegatee, since the request
token was created fine, leading to a poor user experience. We should
check to ensure the project is created.

** Affects: keystone
     Importance: Undecided
     Assignee: Steve Martinelli (stevemar)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1420120

Title:
  oauth request token can created with a project that doesn't exist

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  An oauth request token can be created with an project that doesn't
  exist, there is no security risk here since when the request token is
  exchanged for an access token,  the controller checks if the user has
  roles on that project.

  This causes confusion for the delagator/delegatee, since the request
  token was created fine, leading to a poor user experience. We should
  check to ensure the project is created.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1420120/+subscriptions