yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2049559] Re: Keysont implements "AccountLocked" but returns "Unauthorized"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Wilde <2049559@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jan 2024 15:48:51 -0000
Reply-to: Bug 2049559 <2049559@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Hello,

This is by design:

cat releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
---
fixes:
  - |
    [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
    Fixed the AccountLocked exception being shown to the end user since
    it provides some information that could be exploited by a
    malicious user. The end user will now see Unauthorized instead of
    AccountLocked, preventing user info oracle exploitation.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2049559

Title:
  Keysont implements "AccountLocked" but returns "Unauthorized"

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  We enabled [security_compliance] in our environment to follow Security
  compliance and PCI-DSS requirements, and here is our configuration:

  [security_compliance]
  lockout_failure_attempts = 3
  lockout_duration = 60

  My account will be get locked after 3 failure logins, then I tried to
  re-login, I got 401 which is Unauthorized instead of AccountLocked as
  what we expected.

  {
      "error": {
          "code": 401,
          "message": "The request you have made requires authentication.",
          "title": "Unauthorized"
      }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2049559/+subscriptions

References

[Bug 2049559] [NEW] Keysont implements "AccountLocked" but returns "Unauthorized"
From: bryan, 2024-01-16