Reviewed: https://review.openstack.org/531915 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f463bdccf130ad5e6bd2adb5fba785455477de00 Submitter: Zuul Branch: master
commit f463bdccf130ad5e6bd2adb5fba785455477de00 Author: Lance Bragstad <[email protected]> Date: Mon Jan 8 22:03:50 2018 +0000 Validate identity providers during token validation Previously, it was possible to validate a federated keystone token after the identity provider associated by that token was deleted, which is a security concern. This commit does two things. First it makes it so that the token cache is invalidated when identity providers are deleted. Second, it validates the identity provider in the token data and ensures it actually exists in the system before considering the token valid. Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839 Closes-Bug: 1291157 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1291157 Title: idp deletion should trigger token revocation Status in OpenStack Identity (keystone): Fix Released Bug description: When a federation IdP is deleted, the tokens that were issued (and still active) and associated with the IdP should be deleted. To prevent unwarranted access. The fix should delete any tokens that are associated with the idp, upon deletion (and possibly update, too). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1291157/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
