yahoo-eng-team team mailing list archive

[Xiaojun Lin <1886017@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

When using the json web token, the allow expired feature is broken.
Steps to reproduce:
1. create TOKEN1 with long expiration period.
2. create TOKEN2 with short expiration period
3. after TOKEN2 is expired, call GET /v3/auth/tokens?allow_expired=1 with X-Auth-Token: TOKEN1, X-Subject-Token: TOKEN2

Keystone is supposed to return the token data of TOKEN2 but an error of
TokenNotFound is returned.

This has been tested against ferent token and it worked as expected.

Here is the cause I found: jwt.decode() raises an ExpiredSignatureError
when a token is expired, thus the expiry windows code won't be executed.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1886017

Title:
  "allow expired" feature is broken against json web token

Status in OpenStack Identity (keystone):
  New

Bug description:
  When using the json web token, the allow expired feature is broken.
  Steps to reproduce:
  1. create TOKEN1 with long expiration period.
  2. create TOKEN2 with short expiration period
  3. after TOKEN2 is expired, call GET /v3/auth/tokens?allow_expired=1 with X-Auth-Token: TOKEN1, X-Subject-Token: TOKEN2

  Keystone is supposed to return the token data of TOKEN2 but an error
  of TokenNotFound is returned.

  This has been tested against ferent token and it worked as expected.

  Here is the cause I found: jwt.decode() raises an
  ExpiredSignatureError when a token is expired, thus the expiry windows
  code won't be executed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1886017/+subscriptions