OpenStack Identity (keystone)

Token not decoded in SSO callback template

Bug #1833311 reported by Michael Carpenter
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Low
Unassigned

Bug Description

In https://github.com/openstack/keystone/blob/stable/stein/keystone/api/auth.py#L108 the token is not decoded and therefore is rendered in the SSO callback template as bytes. See example below for how to recreate.

>>> import string
>>> template = string.Template("""<!DOCTYPE html>
... <html xmlns="http://www.w3.org/1999/xhtml">
... <head>
... <title>Keystone WebSSO redirect</title>
... </head>
... <body>
... <form id="sso" name="sso" action="$host" method="post">
... Please wait...
... <br/>
... <input type="hidden" name="token" id="token" value="$token"/>
... <noscript>
... <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
... value="If your JavaScript is disabled, please click to continue"/>
... </noscript>
... </form>
... <script type="text/javascript">
... window.onload = function() {
... document.forms['sso'].submit();
... }
... </script>
... </body>
... </html>""")
>>> subs = {"host": b"myhost", "token": b"mytoken"}
>>> template.substitute(subs)
'<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml">\n <head>\n <title>Keystone WebSSO redirect</title>\n </head>\n <body>\n <form id="sso" name="sso" action="b\'myhost\'" method="post">\n Please wait...\n <br/>\n <input type="hidden" name="token" id="token" value="b\'mytoken\'"/>\n <noscript>\n <input type="submit" name="submit_no_javascript" id="submit_no_javascript"\n value="If your JavaScript is disabled, please click to continue"/>\n </noscript>\n </form>\n <script type="text/javascript">\n window.onload = function() {\n document.forms[\'sso\'].submit();\n }\n </script>\n </body>\n</html>'

Revision history for this message
Colleen Murphy (krinkle) wrote :

Can you explain the negative consequences this has had on your deployment? Are you unable to authenticate because of this?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Michael Carpenter (macarpen) wrote :

After some additional testing it looks like this is only the case when using jws tokens, fernet tokens are not affected.

The negative consequence is that the SSO callback endpoint has to perform additional parsing to get the actual token value.

Revision history for this message
Colleen Murphy (krinkle) wrote :

What do you mean by additional parsing? Again, are you unable to authenticate because of this? Does horizon not handle this correctly? Do you have a traceback? Please be specific.

Revision history for this message
Michael Carpenter (macarpen) wrote :

My use case does not involve Horizon but rather a custom application that uses keystone for identity.

This is what the callback payload looks like when using fernet tokens (using https://httpbin.org/post as a stand-in for the callback):

"form": {
    "token": "gAAAAABdC74ZolSC6H85K0_iOVSoYyYSo8CC2-Tc0wa9LwxvDlL2DnFNREPFUyCw5yaFmqW8FhHZW45TE1c1ZzaLrYVV4ggvzCfmfzZtkk4P3AwHza3LJLefmca1IzITA2z3RV4AQ2j-FqLC60L8gOJ27Q2iPN5hpX7yTPNH-EJfsKOX34HUAGU"
  }

This is what it looks like when using jws tokens:

"form": {
    "token": "b'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiI4ZTJkYWRmYjcwNGU0ODg1OWYyNzI1NWI0ZjRjMTkxZCIsImlhdCI6MTU2MTA1MDg3OCwiZXhwIjoxNTYxMDY1Mjc4LCJvcGVuc3RhY2tfbWV0aG9kcyI6WyJvcGVuaWQiXSwib3BlbnN0YWNrX2F1ZGl0X2lkcyI6WyJiNjdZOWJXSlRZMnpFQUJaZm1PdEZ3Il0sIm9wZW5zdGFja19ncm91cF9pZHMiOltdLCJvcGVuc3RhY2tfaWRwX2lkIjoidzNpZCIsIm9wZW5zdGFja19wcm90b2NvbF9pZCI6Im9wZW5pZCJ9.Q77MWAgyIlFjHJgEPajXbI72qR9KelV29oi7KQ1ydZsWncKThkfRKJreBoKM2pLcPZp3whol9T8lPEppb4wkOg'"
  }

Notice when using jws tokens the token parameter is sent as b'<token_value>' instead of just <token_value>. Does Horizon have logic to parse out the token value when jws is being used as the token provider? I realize the logic involved would be trivial, but it just seemed odd that the token would be formatted differently depending on which token provider is in use.

Revision history for this message
Colleen Murphy (krinkle) wrote :

Confirmed this is true when keystone is run under python3. This should be a simple fix, the token ID just needs to be converted to a string when the callback template is rendered.

Changed in keystone:
status: Incomplete → Triaged
importance: Undecided → Low
tags: added: federation
tags: added: low-hanging-fruit
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.