← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1813336] [NEW] Requesting a scoped token when using x509 authentication is redundant

 

Public bug reported:

In order to get a project-scoped token with an x509 certificate (not
tokenless authentication), I need to specify X-Project-Id in the request
header and I need to specify the project in the scope of the request
body.

If I leave out the header (e.g., X-Project-Id) but keep the scope in the
request body, the request fails with an HTTP 400 validation error [1].
If I leave the request body unscoped and keep the X-Project-Id header in
the request, it is ignored an I get back an unscoped token [2].

It seems redundant to have to specify both to get a scoped token.

[0] https://pasted.tech/pastes/44d9393b0b01f40257fc216fec914ebb9bce07a6.raw
[1] https://pasted.tech/pastes/a41b17ec4c51bb57cb7625847544a75b97282585.raw
[2] https://pasted.tech/pastes/746cd35c00a6fd1c0d12a49ec1a705b4d0464b6a.raw

** Affects: keystone
     Importance: Medium
         Status: Triaged


** Tags: user-experience x509

** Tags added: x509

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Tags added: user-experience

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1813336

Title:
  Requesting a scoped token when using x509 authentication is redundant

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  In order to get a project-scoped token with an x509 certificate (not
  tokenless authentication), I need to specify X-Project-Id in the
  request header and I need to specify the project in the scope of the
  request body.

  If I leave out the header (e.g., X-Project-Id) but keep the scope in
  the request body, the request fails with an HTTP 400 validation error
  [1]. If I leave the request body unscoped and keep the X-Project-Id
  header in the request, it is ignored an I get back an unscoped token
  [2].

  It seems redundant to have to specify both to get a scoped token.

  [0] https://pasted.tech/pastes/44d9393b0b01f40257fc216fec914ebb9bce07a6.raw
  [1] https://pasted.tech/pastes/a41b17ec4c51bb57cb7625847544a75b97282585.raw
  [2] https://pasted.tech/pastes/746cd35c00a6fd1c0d12a49ec1a705b4d0464b6a.raw

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1813336/+subscriptions