← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #61876

[Bug 1501032] Re: incorrect method list is returned when scoping tokens with federation

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/431181
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a7677be518d193518286ba3539541bb6d75970ca
Submitter: Jenkins
Branch:    master

commit a7677be518d193518286ba3539541bb6d75970ca
Author: Ronald De Rose <ronald.de.rose@xxxxxxxxx>
Date:   Wed Feb 8 21:21:06 2017 +0000

    Include 'token' in the method list for federated scoped tokens
    
    Closes-Bug: #1501032
    Change-Id: I52b1c236569db7cbddf44a196c9a98a0b1547215


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1501032

Title:
  incorrect method list is returned when scoping tokens with federation

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In keystone, when a user gets an unscoped token using a password and
  their username, the unscoped token response contains a method list.
  This method list will consist of ['password'], since it was the method
  used to obtain the token. When the user goes to scope their unscoped
  token to a project, the project scoped response will contain a method
  list of ['password', 'token'], since a password was used initially,
  and the unscoped token was also used as a form of authentication.

  In federation, when a user gets an unscoped token from a valid SAML
  assertion, the unscoped response's method list will consist of
  ['saml2']. When the user goes to get a project scoped token, the
  project scoped response's method list will only contain ['saml2']. The
  'token' entry is missing from the method list for rescoped federated
  tokens, despite using an unscoped token as a method of authentication.

  
  This seems to be an inconsistency between the authentication API and the federated authentication API.

  I've pushed a patch that exposes this bug here -
  https://review.openstack.org/#/c/229125/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1501032/+subscriptions

References

  Thread PreviousDate PreviousThread Next