yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1511775] Re: Revoking a role revokes the unscoped token for a user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed, 09 Aug 2017 16:42:02 -0000
Reply-to: Bug 1511775 <1511775@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: In Progress => Invalid

** Changed in: keystone
     Assignee: Lance Bragstad (lbragstad) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1511775

Title:
  Revoking a role revokes the unscoped token for a user

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  In Juno and Kilo, when a role is revoked from a user on a project, a
  callback is triggered that invalidates all of that user's tokens.  I
  can see why we'd want to do that for scoped tokens. But by revoking
  the unscoped token as well, the user is forced to log out and log back
  in.  It seems like the unscoped token should be left alone, since
  revoking a role is an authorization change, and the unscoped token is
  an authentication issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1511775/+subscriptions

References

[Bug 1511775] [NEW] Revoking a role revokes the unscoped token for a user
From: Jeff Deville, 2015-10-30