As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.
The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation. https://travis-ci.org/dolph/keystone-deploy/builds/54734386 If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly. Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause. ** Summary changed: - safe_quote doesn't work for Fernet/PKI/PKIz tokens + Fernet tokens with base64 padding are not URL-safe ** Also affects: keystone Importance: Undecided Status: New ** Changed in: keystone Importance: Undecided => High -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1433372 Title: Fernet tokens with base64 padding are not URL-safe Status in OpenStack Identity (Keystone): In Progress Status in OpenStack Identity (Keystone) Middleware: In Progress Bug description: The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex. This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3]. [1] https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18 [2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p [3] https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1433372/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
