Implemented as part of: https://blueprints.launchpad.net/keystone/+spec/rescoping
** Changed in: keystone Milestone: None => 2015.1.0 ** Changed in: keystone Status: Triaged => Fix Released ** Changed in: keystone Assignee: Priti Desai (priti-desai) => Adam Young (ayoung) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1299039 Title: Token Scoping Status in OpenStack Identity (Keystone): Fix Released Bug description: In Havana Stable release for both V2.0 an V3, A scoped token can be used to get another scoped or un-scopped token. This can be exploited by anyone who has gained access to a scoped token. For example, 1. userA is related to two projects: Project1, Project2 2. userA creates tokenA scoped by Project1 3. userA shares the tokenA to a third party (malicious). 4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA. Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure. A scoped token should not be allowed to create another scoped token. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp