Fix "allow expired" feature for JWT
GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens returning the expired token data, whereas it returns exception TokenNotFound for JWT. This patch fixes the same. Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6 Closes-Bug: #1886017
This commit is contained in:
parent
3eb8cafb8d
commit
2707498474
@ -2628,6 +2628,23 @@ class TokenAPITests(object):
|
|||||||
with app.test_client() as c:
|
with app.test_client() as c:
|
||||||
c.get('/v3/users', headers=headers)
|
c.get('/v3/users', headers=headers)
|
||||||
|
|
||||||
|
def test_fetch_expired_allow_expired_in_expired_window(self):
|
||||||
|
self.config_fixture.config(group='token',
|
||||||
|
expiration=10,
|
||||||
|
allow_expired_window=20)
|
||||||
|
time = datetime.datetime.utcnow()
|
||||||
|
with freezegun.freeze_time(time):
|
||||||
|
token = self._get_project_scoped_token()
|
||||||
|
|
||||||
|
tick = datetime.timedelta(seconds=15)
|
||||||
|
with freezegun.freeze_time(time + tick):
|
||||||
|
# after passing expiry time validation fails
|
||||||
|
self._validate_token(token, expected_status=http.client.NOT_FOUND)
|
||||||
|
|
||||||
|
# but if we pass allow_expired it validates
|
||||||
|
r = self._validate_token(token, allow_expired=True)
|
||||||
|
self.assertValidProjectScopedTokenResponse(r)
|
||||||
|
|
||||||
|
|
||||||
class TokenDataTests(object):
|
class TokenDataTests(object):
|
||||||
"""Test the data in specific token types."""
|
"""Test the data in specific token types."""
|
||||||
|
@ -175,13 +175,15 @@ class JWSFormatter(object):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def _decode_token_from_id(self, token_id):
|
def _decode_token_from_id(self, token_id):
|
||||||
|
options = dict()
|
||||||
|
options['verify_exp'] = False
|
||||||
for public_key in self.public_keys:
|
for public_key in self.public_keys:
|
||||||
try:
|
try:
|
||||||
return jwt.decode(
|
return jwt.decode(
|
||||||
token_id, public_key, algorithms=JWSFormatter.algorithm
|
token_id, public_key, algorithms=JWSFormatter.algorithm,
|
||||||
|
options=options
|
||||||
)
|
)
|
||||||
except (jwt.InvalidSignatureError, jwt.DecodeError,
|
except (jwt.InvalidSignatureError, jwt.DecodeError):
|
||||||
jwt.ExpiredSignatureError):
|
|
||||||
pass # nosec: We want to exhaustively try all public keys
|
pass # nosec: We want to exhaustively try all public keys
|
||||||
raise exception.TokenNotFound(token_id=token_id)
|
raise exception.TokenNotFound(token_id=token_id)
|
||||||
|
|
||||||
|
5
releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
Normal file
5
releasenotes/notes/bug-1886017-bc2ad648d57101a2.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1886017 <https://bugs.launchpad.net/keystone/+bug/1886017>`_]
|
||||||
|
JWT validation now supports `allow_expired` query parameters.
|
Loading…
Reference in New Issue
Block a user