yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1541656] Re: OAuth Identity token gives Forbidden

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 24 Oct 2018 17:48:40 -0000
Reply-to: Bug 1541656 <1541656@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking as incomplete for OSC, please re-visit if it is still an issue
(many things have changed across the board) and invalid for keystone.

** Changed in: keystone
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541656

Title:
  OAuth Identity token gives Forbidden

Status in OpenStack Identity (keystone):
  Won't Fix
Status in python-openstackclient:
  New

Bug description:
  I have enabled OAuth1 in Keystone Kilo, then followed the flow described here:
  https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html#delegated-authentication-flow

  Created a consumer, created a request token, authorized the request
  token, exchanged it for an access token and finally obtained Identity
  token out of the access token, which looks like:

  HTTP/1.1 201 Created
  Date: Thu, 04 Feb 2016 00:20:13 GMT
  Server: Apache/2.4.10 (Linux/SUSE)
  Content-Length: 7982
  X-Subject-Token: 5bae545dc72d499bb3ec2792c9e53cbd
  Vary: X-Auth-Token
  x-openstack-request-id: req-241f91a2-8bc5-44a0-8676-8f521e074475
  Content-Type: application/json

  {"token": {"methods": ["oauth1"], "roles": [{"id":
  "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}],
  "expires_at": "2016-02-04T01:20:13.114596Z", "project": {"domain":
  {"id": "default", "name": "Default"}, "id": ..........skipped catalog,
  etc..... "OS-OAUTH1": {"access_token_id":
  "f718a55aeae24fa1930b726cbd41b378", "consumer_id":
  "979f33d9d2c54fd4ae9d5ed3c2c8f61b"}}}

  
  Then when I try to use the token for example to list servers:

  openstack --os-token 5bae545dc72d499bb3ec2792c9e53cbd --os-auth-url
  https://host:5000/v3 --os-identity-api-version 3 --os-cacert
  /etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list

  I get a surprising error:

  Forbidden: You are not authorized to perform the requested action. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-34f9098e-7f5d-45e6-95b6-6f4cac87159e)
   
  After some debugging I found out that my call gets rejected at:

  def token_authenticate(context, auth_payload, user_context, token_ref):
      try:

          # Do not allow tokens used for delegation to
          # create another token, or perform any changes of
          # state in Keystone. To do so is to invite elevation of
          # privilege attacks

          if token_ref.oauth_scoped or token_ref.trust_scoped:
              raise exception.Forbidden()

  What am I missing here? My token definitely is oauth_scoped and how am
  I supposed to use this Identity token?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541656/+subscriptions

References

[Bug 1541656] [NEW] OAuth Identity token gives Forbidden
From: Bogdan, 2016-02-04