yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1902261] [NEW] Federated identity login does not prevent disabling account due to inactivity

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Daniel Leehr <1902261@xxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Oct 2020 15:41:41 -0000
Reply-to: Bug 1902261 <1902261@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

On keystone configured with OIDC federated login and
disable_user_account_days_inactive, accounts become disabled after the
specified number of days even if users regularly access accounts with
OIDC login. OIDC login does not count as activity, nor does token
authentication. It seems direct authentication with username/password is
expected for activity.

>From a review of the source, it appears there are 2 cases where keystone
updates last_active_at in the database.

The first is authenticating with a password:
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L900-L908

The second is when a federated (e.g. OIDC) login happens for an
ephemeral user:
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1486-L1512

We use federated users but we map them to existing local keystone users
in the default domain - so they're not ephemeral.

To confirm, I switched our mapping to ephemeral. With mapping set to
ephemeral, logging into OIDC does update the last_active_at field, but
it creates a second user account in a separate domain, and this is not
our use case.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1902261

Title:
  Federated identity login does not prevent disabling account due to
  inactivity

Status in OpenStack Identity (keystone):
  New

Bug description:
  On keystone configured with OIDC federated login and
  disable_user_account_days_inactive, accounts become disabled after the
  specified number of days even if users regularly access accounts with
  OIDC login. OIDC login does not count as activity, nor does token
  authentication. It seems direct authentication with username/password
  is expected for activity.

  From a review of the source, it appears there are 2 cases where
  keystone updates last_active_at in the database.

  The first is authenticating with a password:
  https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L900-L908

  The second is when a federated (e.g. OIDC) login happens for an
  ephemeral user:
  https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L1486-L1512

  We use federated users but we map them to existing local keystone
  users in the default domain - so they're not ephemeral.

  To confirm, I switched our mapping to ephemeral. With mapping set to
  ephemeral, logging into OIDC does update the last_active_at field, but
  it creates a second user account in a separate domain, and this is not
  our use case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1902261/+subscriptions