Public bug reported:
Validate token API specifies 404 response for invalid Subject tokens:
http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not
clear, but KSC/middleware/auth_token has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid'
localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication.
(Disable debug mode to suppress these details.)", "code": 401, "title":
"Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404,
test check for 401.
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
Controller doesn't check the return
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Fernet token's core doesn't check the return here
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
Fernet token goes raises 401 here
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1477600
Title:
Token Validation API returns 401 not 404 on invalid token
Status in Keystone:
New
Bug description:
Validate token API specifies 404 response for invalid Subject tokens:
http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken
http://developer.openstack.org/api-ref-identity-v3.html#validateTokens (not
clear, but KSC/middleware/auth_token has the same logic as v2.0)
For Fernet tokens, this API returns 401 for invalid token:
curl -H 'X-Auth-Token: valid' -H 'X-Subject-Token: invalid'
localhost:5000/v3/auth/tokens
{"error": {"message": "The request you have made requires authentication.
(Disable debug mode to suppress these details.)", "code": 401, "title":
"Unauthorized"}}
I've check the tests and found incorrect one. API spec requires 404,
test check for 401.
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Looks like it's broken in one of this places:
Controller doesn't check the return
https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L51
Fernet token's core doesn't check the return here
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L152
Fernet token goes raises 401 here
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L201
Note that UUID token raises 404 here as expected
https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L679
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1477600/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
