yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1796247] Re: Auth API returns 401 when the token has invalid project

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Fri, 05 Oct 2018 08:47:11 -0000
Reply-to: Bug 1796247 <1796247@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The 401 and vague error message with regard to the token API is
deliberate, as providing specific details about the reason for failure
can be leveraged by an attacker to focus their attacks.

If you are running a test deployment and NOT RUNNING IN PRODUCTION,
there is an insecure_debug config option that you can switch on
temporarily which provides more helpful error messages in the 401
response and in the logs.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1796247

Title:
  Auth API returns 401 when the token has invalid project

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  in keystone/auth/core.py _lookup_project() returns
  'exception.Unauthorized' when ProjectNotFound exception occurs.

  We first do not understand the cause since it return 401 HTTP error
  code and was trying to fix role assignment. IMHO, when token has
  invalid project (actually we had a deleted project in the token), the
  API should return 404 instead of 401.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1796247/+subscriptions

References

[Bug 1796247] [NEW] Auth API returns 401 when the token has invalid project
From: Yang Youseok, 2018-10-05