yahoo-eng-team team mailing list archive

[OpenStack Infra <1886017@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/739784
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2707498474003883530688a222e4143cf04ad2a7
Submitter: Zuul
Branch:    master

commit 2707498474003883530688a222e4143cf04ad2a7
Author: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
Date:   Tue Jul 7 20:22:07 2020 +0530

    Fix "allow expired" feature for JWT
    
    GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens
    returning the expired token data, whereas it returns exception
    TokenNotFound for JWT. This patch fixes the same.
    
    Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6
    Closes-Bug: #1886017


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1886017

Title:
  "allow expired" feature is broken against json web token

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When using the json web token, the allow expired feature is broken.
  Steps to reproduce:
  1. create TOKEN1 with long expiration period.
  2. create TOKEN2 with short expiration period
  3. after TOKEN2 is expired, call GET /v3/auth/tokens?allow_expired=1 with X-Auth-Token: TOKEN1, X-Subject-Token: TOKEN2

  Keystone is supposed to return the token data of TOKEN2 but an error
  of TokenNotFound is returned.

  This has been tested against ferent token and it worked as expected.

  Here is the cause I found: jwt.decode() raises an
  ExpiredSignatureError when a token is expired, thus the expiry windows
  code won't be executed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1886017/+subscriptions