Public bug reported: In keystone, when a user gets an unscoped token using a password and their username, the unscoped token response contains a method list. This method list will consist of ['password'], since it was the method used to obtain the token. When the user goes to scope their unscoped token to a project, the project scoped response will contain a method list of ['password', 'token'], since a password was used initially, and the unscoped token was also used as a form of authentication.
In federation, when a user gets an unscoped token from a valid SAML assertion, the unscoped response's method list will consist of ['saml2']. When the user goes to get a project scoped token, the project scoped response's method list will only contain ['saml2']. The 'token' entry is missing from the method list for rescoped federated tokens, despite using an unscoped token as a method of authentication. This seems to be an inconsistency between the authentication API and the federated authentication API. I've pushed a patch that exposes this bug here - https://review.openstack.org/#/c/229125/ ** Affects: keystone Importance: Undecided Status: New ** Tags: federation ** Tags added: federation -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1501032 Title: incorrect method list is returned when scoping tokens with federation Status in Keystone: New Bug description: In keystone, when a user gets an unscoped token using a password and their username, the unscoped token response contains a method list. This method list will consist of ['password'], since it was the method used to obtain the token. When the user goes to scope their unscoped token to a project, the project scoped response will contain a method list of ['password', 'token'], since a password was used initially, and the unscoped token was also used as a form of authentication. In federation, when a user gets an unscoped token from a valid SAML assertion, the unscoped response's method list will consist of ['saml2']. When the user goes to get a project scoped token, the project scoped response's method list will only contain ['saml2']. The 'token' entry is missing from the method list for rescoped federated tokens, despite using an unscoped token as a method of authentication. This seems to be an inconsistency between the authentication API and the federated authentication API. I've pushed a patch that exposes this bug here - https://review.openstack.org/#/c/229125/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1501032/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp