Fernet tokens with base64 padding are not URL-safe
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
keystonemiddleware |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The safe_quote() method, which happens unconditionally on verify_token in keystone auth_token middleware, doesn't seem to work when being used with Fernet, PKI, or PKIz tokens [1]. This method modifies the token [2] before passing it to Keystone, and in the Fernet case, the token_formatter is unable to decrypt the token. This is not apparent with UUID formatted tokens because they are UUID safe, given uuid.uuid4().hex.
This can be recreated using keystone-deploy's fernet-token branch, as well as the PKI and PKIz configurations [3].
[1] https:/
[2] http://
[3] https:/
tags: | added: fernet |
description: | updated |
description: | updated |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Dolph Mathews (dolph) |
status: | New → In Progress |
Changed in keystone: | |
milestone: | none → kilo-rc1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-rc1 → 2015.1.0 |
Changed in keystonemiddleware: | |
assignee: | Lance Bragstad (lbragstad) → nobody |
We are also safe_quote'ing things that are being passed in the headers, which I'm not entirely sure we need to do?
https:/ /github. com/openstack/ python- keystoneclient/ blob/fc1f5a7963 adb3c39f48131af 5117bfafa3b07e7 /keystoneclient /middleware/ auth_token. py#L1127