** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1433372
Title:
Fernet tokens with base64 padding are not URL-safe
Status in OpenStack Identity (Keystone):
Fix Released
Status in OpenStack Identity (Keystone) Middleware:
In Progress
Bug description:
The safe_quote() method, which happens unconditionally on verify_token
in keystone auth_token middleware, doesn't seem to work when being
used with Fernet, PKI, or PKIz tokens [1]. This method modifies the
token [2] before passing it to Keystone, and in the Fernet case, the
token_formatter is unable to decrypt the token. This is not apparent
with UUID formatted tokens because they are UUID safe, given
uuid.uuid4().hex.
This can be recreated using keystone-deploy's fernet-token branch, as
well as the PKI and PKIz configurations [3].
[1]
https://github.com/openstack/keystonemiddleware/blob/d436ec737a4ecfe653d934c6f4a71f411b7f9cc2/keystonemiddleware/auth_token/_utils.py#L16-L18
[2] http://cdn.pasteraw.com/jt7zlnanjmcwqyu5gt9k4vcspy1pj9p
[3]
https://github.com/dolph/keystone-deploy/blob/fernet-tokens/test_exercises.py
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1433372/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
