Reviewed: https://review.opendev.org/739784 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2707498474003883530688a222e4143cf04ad2a7 Submitter: Zuul Branch: master
commit 2707498474003883530688a222e4143cf04ad2a7 Author: Vishakha Agarwal <[email protected]> Date: Tue Jul 7 20:22:07 2020 +0530 Fix "allow expired" feature for JWT GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens returning the expired token data, whereas it returns exception TokenNotFound for JWT. This patch fixes the same. Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6 Closes-Bug: #1886017 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1886017 Title: "allow expired" feature is broken against json web token Status in OpenStack Identity (keystone): Fix Released Bug description: When using the json web token, the allow expired feature is broken. Steps to reproduce: 1. create TOKEN1 with long expiration period. 2. create TOKEN2 with short expiration period 3. after TOKEN2 is expired, call GET /v3/auth/tokens?allow_expired=1 with X-Auth-Token: TOKEN1, X-Subject-Token: TOKEN2 Keystone is supposed to return the token data of TOKEN2 but an error of TokenNotFound is returned. This has been tested against ferent token and it worked as expected. Here is the cause I found: jwt.decode() raises an ExpiredSignatureError when a token is expired, thus the expiry windows code won't be executed. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1886017/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
