OpenStack Identity (keystone)

401 responses do not include WWW-Authenticate header

Bug #1153719 reported by Brant Knudson
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Jeffrey Zhang
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

When an HTTP 1.1 server responds with 401 status code, it MUST include a WWW-Authenticate header. Keystone is not including the WWW-Authenticate header when it responds with 401.

See http://tools.ietf.org/html/rfc2616#section-10.4.2

$ curl -i http://localhost:5000/v3/projects ; echo
HTTP/1.1 401 Not Authorized
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 116
Date: Mon, 11 Mar 2013 18:35:57 GMT

{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}

The server should have included WWW-Authenticate in the response. I don't know what it should be set to, but according to the HTTP 1.1 RFC, it has to be set to something.

Revision history for this message
Dolph Mathews (dolph) wrote :

I believe keystoneclient.middleware.auth_token sets WWW-Authenticate to the location of keystone's auth endpoint. I think it would be appropriate for the 401 from keystone itself to point to /v3/auth/token if raised by v3.

Revision history for this message
Dolph Mathews (dolph) wrote :

We also support new CONF values called public_endpoint / admin_endpoint to make this easy to implement. As a generic solution, all 401's could simply point to public_endpoint -- without an additional path.

Changed in keystone:
status: New → Triaged
importance: Undecided → Low
Rubén Burón Rodrigo (ruben-buron)
Changed in keystone:
assignee: nobody → buronix (ruben-buron)
Revision history for this message
Rubén Burón Rodrigo (ruben-buron) wrote :

I will implement the header like 'Keystone uri="%public_endpoint" 'as indicated in http://docs.openstack.org/developer/keystone/middlewarearchitecture.html#exchanging-user-information .

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/41707

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/51370

Changed in keystone:
assignee: Rubén Burón Rodrigo (ruben-buron) → Jeffrey Zhang (jeffrey4l)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/51370
Committed: http://github.com/openstack/keystone/commit/591e8ce9d3ae6247ac5b0be93bcef7771d8712dc
Submitter: Jenkins
Branch: master

commit 591e8ce9d3ae6247ac5b0be93bcef7771d8712dc
Author: Lei Zhang <email address hidden>
Date: Sat Oct 12 16:40:44 2013 +0800

    Add WWW-Authenticate header in 401 responses.

    This review come from https://review.openstack.org/#/c/41707/, due to the
    inactive in that.

    Add the WWW-Authenticate in header when Keystone responds with 401 status
    code. The format of the header is

    WWW-Authenticate: Keystone uri="http://localhost:5000/"

    as indicated in

    http://docs.openstack.org/developer/keystone/middlewarearchitecture.html#exchanging-user-information .

    Closes-Bug: #1153719
    Change-Id: Iaa2291c66a9b126982b8aad0ddbfa9468dfc5d3e

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.