yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1299039] Re: Token Scoping

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1299039@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 May 2015 15:03:34 -0000
Reply-to: Bug 1299039 <1299039@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Implemented as part of:

  https://blueprints.launchpad.net/keystone/+spec/rescoping

** Changed in: keystone
    Milestone: None => 2015.1.0

** Changed in: keystone
       Status: Triaged => Fix Released

** Changed in: keystone
     Assignee: Priti Desai (priti-desai) => Adam Young (ayoung)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1299039

Title:
  Token Scoping

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  In Havana Stable release for both V2.0 an V3,

  A scoped token can be used to get another scoped or un-scopped token.
  This can be exploited by anyone who has gained access to  a scoped
  token.

  For example,

  1. userA is related to two projects: Project1, Project2
  2. userA creates  tokenA scoped by Project1
  3.  userA  shares the tokenA to a third party (malicious).  
  4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.

  Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure. 
  A scoped token should not be allowed to create another scoped token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions

References

[Bug 1299039] [NEW] Token Scoping
From: Abu Shohel Ahmed, 2014-03-28