As per the V3 API we have to pass "X-Auth-Token" to authenticate the caller for all the below mentioned APIs and "X-Subject-Token" is the token on which caller is operating on.
The default policy comes with below rule, which mean either admin or user is authorized for revoke token. Now to do the authz check we need a target which should the user_id associated with X-Subject-Token. In the current implementation the traget is coming empty (at check(rule, target, creds, exc=None, *args, **kwargs) call). Due to that ["user_id:%(user_id)s"] rule will never satisfied.
What I am proposing is to derive user_id (or target) from X-Subject-Token so that at check(rule, target, creds, exc=None, *args, **kwargs) method can evaluate policy on a target.
OK, Let’s not treat it as vulnerability.
As per the V3 API we have to pass "X-Auth-Token" to authenticate the caller for all the below mentioned APIs and "X-Subject-Token" is the token on which caller is operating on.
identity: check_token validate_ token revoke_ token
identity:
identity:
The default policy comes with below rule, which mean either admin or user is authorized for revoke token. Now to do the authz check we need a target which should the user_id associated with X-Subject-Token. In the current implementation the traget is coming empty (at check(rule, target, creds, exc=None, *args, **kwargs) call). Due to that ["user_ id:%(user_ id)s"] rule will never satisfied.
"identity: revoke_ token": [["rule: admin_required" ], ["user_ id:%(user_ id)s"]] ,
What I am proposing is to derive user_id (or target) from X-Subject-Token so that at check(rule, target, creds, exc=None, *args, **kwargs) method can evaluate policy on a target.