This seems like a missing use case in openstackclient? If you give it an
existing token, why is it trying to rescope it? What is it trying to
rescope the token to?
** Also affects: python-openstackclient
Importance: Undecided
Status: New
** Changed in: keystone
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541656
Title:
OAuth Identity token gives Forbidden
Status in OpenStack Identity (keystone):
Incomplete
Status in python-openstackclient:
New
Bug description:
I have enabled OAuth1 in Keystone Kilo, then followed the flow described here:
https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html#delegated-authentication-flow
Created a consumer, created a request token, authorized the request
token, exchanged it for an access token and finally obtained Identity
token out of the access token, which looks like:
HTTP/1.1 201 Created
Date: Thu, 04 Feb 2016 00:20:13 GMT
Server: Apache/2.4.10 (Linux/SUSE)
Content-Length: 7982
X-Subject-Token: 5bae545dc72d499bb3ec2792c9e53cbd
Vary: X-Auth-Token
x-openstack-request-id: req-241f91a2-8bc5-44a0-8676-8f521e074475
Content-Type: application/json
{"token": {"methods": ["oauth1"], "roles": [{"id":
"9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}],
"expires_at": "2016-02-04T01:20:13.114596Z", "project": {"domain":
{"id": "default", "name": "Default"}, "id": ..........skipped catalog,
etc..... "OS-OAUTH1": {"access_token_id":
"f718a55aeae24fa1930b726cbd41b378", "consumer_id":
"979f33d9d2c54fd4ae9d5ed3c2c8f61b"}}}
Then when I try to use the token for example to list servers:
openstack --os-token 5bae545dc72d499bb3ec2792c9e53cbd --os-auth-url
https://host:5000/v3 --os-identity-api-version 3 --os-cacert
/etc/pki/trust/anchors/ca.pem --os-project-name Project1 server list
I get a surprising error:
Forbidden: You are not authorized to perform the requested action. (Disable
debug mode to suppress these details.) (HTTP 403) (Request-ID:
req-34f9098e-7f5d-45e6-95b6-6f4cac87159e)
After some debugging I found out that my call gets rejected at:
def token_authenticate(context, auth_payload, user_context, token_ref):
try:
# Do not allow tokens used for delegation to
# create another token, or perform any changes of
# state in Keystone. To do so is to invite elevation of
# privilege attacks
if token_ref.oauth_scoped or token_ref.trust_scoped:
raise exception.Forbidden()
What am I missing here? My token definitely is oauth_scoped and how am
I supposed to use this Identity token?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541656/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
