As noted, the security promise of bearer tokens relies on not exposing them to a would-be attacker, so this is a shortcoming of your deployment configuration not a security vulnerability in the underlying implementation.
** Information type changed from Private Security to Public ** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - It is possible for a 3rd party to read the federated user token during a federated login. I am trying with branch origin/master, commit f485c3bdea13c1959db1eec2936690addd87b492. I installed openstack using devstack. Then, I installed websso following the steps on official documentation (http://docs.openstack.org/developer/keystone/configure_federation.html). I am using Shibboleth and testing with testshib.org I managed to get logged in using testshib. But, if I use wireshark to read the messages exchanged between my browser and the server, I am able to capture the token. The capture happens when keystone uses a POST to communicate the token to horizon (an http POST to /dashboard/auth/websso) . I later used the retrieved token to successfully access the federated user's projects using the API. ** Changed in: ossa Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1502280 Title: Visible token in HTTP Status in Keystone: Won't Fix Status in OpenStack Security Advisory: Invalid Bug description: It is possible for a 3rd party to read the federated user token during a federated login. I am trying with branch origin/master, commit f485c3bdea13c1959db1eec2936690addd87b492. I installed openstack using devstack. Then, I installed websso following the steps on official documentation (http://docs.openstack.org/developer/keystone/configure_federation.html). I am using Shibboleth and testing with testshib.org I managed to get logged in using testshib. But, if I use wireshark to read the messages exchanged between my browser and the server, I am able to capture the token. The capture happens when keystone uses a POST to communicate the token to horizon (an http POST to /dashboard/auth/websso) . I later used the retrieved token to successfully access the federated user's projects using the API. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1502280/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
