yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1854041] Re: Keystone should propagate redirect exceptions from auth plugins

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1854041@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Jan 2024 17:37:33 -0000
Reply-to: Bug 1854041 <1854041@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/754694
Committed: https://opendev.org/openstack/keystone/commit/1c106f48b05d45e87ecdfbda1586d9456d818f7e
Submitter: "Zuul (22348)"
Branch:    master

commit 1c106f48b05d45e87ecdfbda1586d9456d818f7e
Author: ferag <ferag@xxxxxxxx>
Date:   Thu Nov 21 11:34:40 2019 +0000

    Propagate redirect exceptions to the client
    
    When a developer is implementing an Authentication plugin, in some cases
    (like an OpenID Connect plugin) it is needed to perform a redirect to
    the provider to complete the flow. This was possible in the past (before
    moving to Flask) by raising an exception with the proper HTTP code set,
    but the framework change made this possibility not available anymore.
    
    Closes-Bug: #1854041
    Co-authored-by: Alvaro Lopez Garcia <aloga@xxxxxxxxxxxxxx>
    Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1854041

Title:
  Keystone should propagate redirect exceptions from auth plugins

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When a developer is implementing an Authentication plugin [1] they can
  only return None and setup the relevant information in the auth
  context or raise an Unauthorized exception. However, in some cases
  (like an OpenID Connect plugin) it is needed to perform a redirect to
  the provider to complete the flow. IIRC this was possible in the past
  (before moving to Flask) by raising an exception with the proper HTTP
  code set, but with the current implementation this is impossible.

  [1]: https://docs.openstack.org/keystone/latest/contributor/auth-
  plugins.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1854041/+subscriptions

References

[Bug 1854041] [NEW] Keystone should propagate redirect exceptions from auth plugins
From: Alvaro Lopez, 2019-11-26