yahoo-eng-team team mailing list archive

[OpenStack Infra <1291157@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/531915
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f463bdccf130ad5e6bd2adb5fba785455477de00
Submitter: Zuul
Branch:    master

commit f463bdccf130ad5e6bd2adb5fba785455477de00
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Mon Jan 8 22:03:50 2018 +0000

    Validate identity providers during token validation
    
    Previously, it was possible to validate a federated keystone token
    after the identity provider associated by that token was deleted,
    which is a security concern.
    
    This commit does two things. First it makes it so that the token
    cache is invalidated when identity providers are deleted. Second,
    it validates the identity provider in the token data and ensures it
    actually exists in the system before considering the token valid.
    
    Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839
    Closes-Bug: 1291157


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1291157

Title:
  idp deletion should trigger token revocation

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When a federation IdP is deleted, the tokens that were issued (and
  still active) and associated with the IdP should be deleted. To
  prevent unwarranted access. The fix should delete any tokens that are
  associated with the idp, upon deletion (and possibly update, too).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1291157/+subscriptions