keystone/bug-1291157-00b5c714a097e84c.yaml at e21ea06613a12057e62c0e8c732fb5cac2507e48 - keystone - OpenDev: Free Software Needs Free Tools

openstack/keystone

Lance Bragstad f463bdccf1 Validate identity providers during token validation

Previously, it was possible to validate a federated keystone token
after the identity provider associated by that token was deleted,
which is a security concern.

This commit does two things. First it makes it so that the token
cache is invalidated when identity providers are deleted. Second,
it validates the identity provider in the token data and ensures it
actually exists in the system before considering the token valid.

Change-Id: I57491c5a7d657b25cc436452acd7fcc4cd285839
Closes-Bug: 1291157

2018-02-01 23:33:42 +00:00

8 lines

317 B

YAML

Raw Blame History

 ---
 fixes:
   - |
     [`bug 1291157 <https://bugs.launchpad.net/keystone/+bug/1291157>`_]
     Identity provider information is now validated in during token validation.
     If an identity provider is removed from a keystone service provider, tokens
     associated to that identity provider will be considered invalid.