← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #29649

[Bug 1433372] Re: Fernet tokens with base64 padding are not URL-safe

  Thread PreviousDate PreviousThread Next 
As it turns out, the output of base64.urlsafe_b64encode() is not
actually URL-safe if the result includes padding. The padding character
is '=' which must be percent-encoded.

The result is that "valid" tokens are being made URL-friendly by some
defensive code in keystonemiddleware, and are thus made unusable by
keystone during validation.

  https://travis-ci.org/dolph/keystone-deploy/builds/54734386

If keystone emitted URL-safe tokens in the first place, the defensive
code in keystonemiddleware wouldn't be triggered, and everything works
properly.

Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but
apparently due to a different cause.

** Summary changed:

- safe_quote doesn't work for Fernet/PKI/PKIz tokens
+ Fernet tokens with base64 padding are not URL-safe

** Also affects: keystone
   Importance: Undecided
       Status: New

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1433372

Title:
  Fernet tokens with base64 padding are not URL-safe

Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Identity  (Keystone) Middleware:
  In Progress

Bug description:
  The safe_quote() method, which happens unconditionally on verify_token
  in keystone auth_token middleware, doesn't seem to work when being
  used with Fernet, PKI, or PKIz tokens [1]. This method modifies the
  token [2] before passing it to Keystone, and in the Fernet case, the
  token_formatter is unable to decrypt the token. This is not apparent
  with UUID formatted tokens because they are UUID safe, given
  uuid.uuid4().hex.

  This can be recreated using keystone-deploy's fernet-token branch, as
  well as the PKI and PKIz configurations [3].

  [1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
  [2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p
  [3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1433372/+subscriptions
  Thread PreviousDate PreviousThread Next