diff --git a/keystone/api/auth.py b/keystone/api/auth.py index 96c17f1301..052781f1fa 100644 --- a/keystone/api/auth.py +++ b/keystone/api/auth.py @@ -335,6 +335,7 @@ class AuthFederationWebSSOResource(_AuthFederationWebSSOBase): @classmethod def _perform_auth(cls, protocol_id): idps = PROVIDERS.federation_api.list_idps() + remote_id = None for idp in idps: try: remote_id_name = federation_utils.get_remote_id_parameter( diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index 9b27f1bad4..a24ddfc464 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -4886,6 +4886,16 @@ class WebSSOTests(FederatedTokenTests): auth_api.AuthFederationWebSSOResource._perform_auth, self.PROTOCOL) + def test_federated_sso_auth_protocol_not_found(self): + environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0], + 'QUERY_STRING': 'origin=%s' % self.ORIGIN} + environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) + with self.make_request(environ=environment): + self.assertRaises( + exception.Unauthorized, + auth_api.AuthFederationWebSSOResource._perform_auth, + 'no_this_protocol') + def test_federated_sso_untrusted_dashboard(self): environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0], 'QUERY_STRING': 'origin=%s' % uuid.uuid4().hex} diff --git a/releasenotes/notes/bug-1844207-x27a31f3403xfd7y.yaml b/releasenotes/notes/bug-1844207-x27a31f3403xfd7y.yaml new file mode 100644 index 0000000000..29ccaac427 --- /dev/null +++ b/releasenotes/notes/bug-1844207-x27a31f3403xfd7y.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1844207 `_] + Fixes an issue with WebSSO auth where a server error was raised if a remote + ID can't be found for the requested federation protocol, now correctly + raises an Unauthorized client error.