OSSA 2013-014
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179615
Title:
[OSSA 2013-014] auth_token middleware neglects to check expiry of
signed token
Status in OpenStack Identity (Keystone):
Invalid
Status in Keystone folsom series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Status in Python client library for Keystone:
Fix Committed
Bug description:
Unless I'm mistaken the keystoneclient auth_token middleware seems to
be neglecting to check the expiry of signed tokens.
Instead, it only checks if the proposed token has been explicitly
revoked:
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1047
Surely the expiration timestamp needs to be checked also and the token
rejected if expired.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179615/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
