yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1420120] Re: oauth request token can created with a project that doesn't exist

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 19 Mar 2015 14:21:26 -0000
Reply-to: Bug 1420120 <1420120@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1420120

Title:
  oauth request token can created with a project that doesn't exist

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  An oauth request token can be created with an project that doesn't
  exist, there is no security risk here since when the request token is
  exchanged for an access token,  the controller checks if the user has
  roles on that project.

  This causes confusion for the delagator/delegatee, since the request
  token was created fine, leading to a poor user experience. We should
  check to ensure the project is created.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1420120/+subscriptions

References

[Bug 1420120] [NEW] oauth request token can created with a project that doesn't exist
From: Steve Martinelli, 2015-02-10