← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #35611

[Bug 1477600] [NEW] Token Validation API returns 401 not 404 on invalid token

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Validate token API specifies 404 response for invalid Subject tokens:
http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC/middleware/auth_token has the same logic as v2.0)

For Fernet tokens, this API returns 401 for invalid token:

curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

I've check the tests and found incorrect one. API spec requires 404,
test check for 401.

https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51

Looks like it's broken in one of this places:

Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201

Note that UUID token raises 404 here as expected
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1477600

Title:
  Token Validation API returns 401 not 404 on invalid token

Status in Keystone:
  New

Bug description:
  Validate token API specifies 404 response for invalid Subject tokens:
  http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
  http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not clear, but KSC/middleware/auth_token has the same logic as v2.0)

  For Fernet tokens, this API returns 401 for invalid token:

  curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid' localhost:5000/v3/auth/tokens
  {"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

  I've check the tests and found incorrect one. API spec requires 404,
  test check for 401.

  https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51

  Looks like it's broken in one of this places:

  Controller doesn't check the return https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
  Fernet token's core doesn't check the return here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
  Fernet token goes raises 401 here https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201

  Note that UUID token raises 404 here as expected
  https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next