← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #50368

[Bug 1579659] [NEW] oauth login silently ignores scope

  Thread PreviousDate PreviousThread Next 
Public bug reported:

OAuth authentication is always scoped within an oauth authentication.

Because it's still just a v3 authentication you can provide your own
scope with a oauth request. Whatever you provide as scope to the
authentication is silently ignored and your token is scoped to whatever
project the oauth is scoped to.

Note: This should not be a security risk because you are always being
scoped to where your authorization is. The oauth scope is being used in
preference to your request scope.

I think this should fail. If you provide scope information seperate and
different from your oauth scope information then this should be a bad
request and you should not get a token.


I'm attaching the test script i'm using to play with oauth. You can run it with the admin credentials from devstack.

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "oauthtest.py"
   https://bugs.launchpad.net/bugs/1579659/+attachment/4659027/+files/oauthtest.py

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1579659

Title:
  oauth login silently ignores scope

Status in OpenStack Identity (keystone):
  New

Bug description:
  OAuth authentication is always scoped within an oauth authentication.

  Because it's still just a v3 authentication you can provide your own
  scope with a oauth request. Whatever you provide as scope to the
  authentication is silently ignored and your token is scoped to
  whatever project the oauth is scoped to.

  Note: This should not be a security risk because you are always being
  scoped to where your authorization is. The oauth scope is being used
  in preference to your request scope.

  I think this should fail. If you provide scope information seperate
  and different from your oauth scope information then this should be a
  bad request and you should not get a token.

  
  I'm attaching the test script i'm using to play with oauth. You can run it with the admin credentials from devstack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1579659/+subscriptions
  Thread PreviousDate PreviousThread Next