Colleen's assessment is accurate and her workaround is about the best we have. This happens when a token is created within the same second as a revocation event (e.g. changing your password then immediately authenticating for a token). The token's creation timestamp is determined when the token is minted [0], which is handled outside of keystone.
Lack of sub-second support for creation timestamps is a known issue in the fernet specification [1], which is implemented by pyca/cryptography [2] and consumed by keystone [3]. There is an issue opened up against the fernet specification itself [4], but that hasn't moved in a while, despite our attempts to propose a subsequent version of the document. The workaround is to make sure you pass the threshold of a new second before authenticating for a new token, which we had to work into several tempest tests when we made fernet the default token provider [5][6]. Hopefully this helps clarify why the issue still exists. Unfortunately, there isn't much we can do from a keystone perspective short of consuming a fernet implementation of an updated specification. [0] https://github.com/pyca/cryptography/blob/611fa5a0458a36bb8b13b3e251a5cd359fa34296/src/cryptography/fernet.py#L49 [1] https://github.com/fernet/spec [2] https://github.com/pyca/cryptography/ [3] https://github.com/openstack/keystone/blob/37ce5417418f8acbd27f3dacb70c605b0fe48301/keystone/token/token_formatters.py#L18 [4] https://github.com/fernet/spec/issues/12 [5] https://review.openstack.org/#/q/status:merged+project:openstack/tempest+branch:master+topic:bug/1473567 [6] https://bugs.launchpad.net/keystone/+bug/1473567 ** Bug watch added: github.com/fernet/spec/issues #12 https://github.com/fernet/spec/issues/12 ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1769864 Title: cannot use newly issued token immediately after admin password change Status in OpenStack Identity (keystone): Invalid Bug description: The following issue was observed while running an automated job which changed the password of the admin account (Pike release was used). If an admin token is issued immediately after the admin password is changed, using the token to authenticate to Keystone is met with an Unauthorized error: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} Steps to reproduce this: 1. generate a token with the current admin password: curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H "Content-type: application/json" \ http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens 2. change the admin password using the token generated at step 1: curl -X PUT -d '{"user":{"id": "<admin-user-uuid>", "password": "newpassword"}}' \ -H "X-Auth-Token:<token-id>" \ -H "Content-type: application/json" \ http://cluster-data.vn1.cloud.suse.de:35357/v2.0/users/<admin-user-uuid>/OS-KSADM/password 3. generate a token with the new admin password: curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "newpassword"}}}' \ -H "Content-type: application/json" \ http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens 4. run a simple check using the token generated at 3.: curl -H "X-Auth-Token:<new-token-id>" \ http://cluster-data.vn1.cloud.suse.de:35357/v2.0/OS-KSADM/services To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1769864/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp