← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #39354

[Bug 1501032] [NEW] incorrect method list is returned when scoping tokens with federation

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In keystone, when a user gets an unscoped token using a password and
their username, the unscoped token response contains a method list. This
method list will consist of ['password'], since it was the method used
to obtain the token. When the user goes to scope their unscoped token to
a project, the project scoped response will contain a method list of
['password', 'token'], since a password was used initially, and the
unscoped token was also used as a form of authentication.

In federation, when a user gets an unscoped token from a valid SAML
assertion, the unscoped response's method list will consist of
['saml2']. When the user goes to get a project scoped token, the project
scoped response's method list will only contain ['saml2']. The 'token'
entry is missing from the method list for rescoped federated tokens,
despite using an unscoped token as a method of authentication.


This seems to be an inconsistency between the authentication API and the federated authentication API.

I've pushed a patch that exposes this bug here -
https://review.openstack.org/#/c/229125/

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: federation

** Tags added: federation

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1501032

Title:
  incorrect method list is returned when scoping tokens with federation

Status in Keystone:
  New

Bug description:
  In keystone, when a user gets an unscoped token using a password and
  their username, the unscoped token response contains a method list.
  This method list will consist of ['password'], since it was the method
  used to obtain the token. When the user goes to scope their unscoped
  token to a project, the project scoped response will contain a method
  list of ['password', 'token'], since a password was used initially,
  and the unscoped token was also used as a form of authentication.

  In federation, when a user gets an unscoped token from a valid SAML
  assertion, the unscoped response's method list will consist of
  ['saml2']. When the user goes to get a project scoped token, the
  project scoped response's method list will only contain ['saml2']. The
  'token' entry is missing from the method list for rescoped federated
  tokens, despite using an unscoped token as a method of authentication.

  
  This seems to be an inconsistency between the authentication API and the federated authentication API.

  I've pushed a patch that exposes this bug here -
  https://review.openstack.org/#/c/229125/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1501032/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next