Comment 3 for bug 1186059

OK, Let’s not treat it as vulnerability.

As per the V3 API we have to pass "X-Auth-Token" to authenticate the caller for all the below mentioned APIs and "X-Subject-Token" is the token on which caller is operating on.

identity:check_token
identity:validate_token
identity:revoke_token

The default policy comes with below rule, which mean either admin or user is authorized for revoke token. Now to do the authz check we need a target which should the user_id associated with X-Subject-Token. In the current implementation the traget is coming empty (at check(rule, target, creds, exc=None, *args, **kwargs) call). Due to that ["user_id:%(user_id)s"] rule will never satisfied.

 "identity:revoke_token": [["rule:admin_required"], ["user_id:%(user_id)s"]],

What I am proposing is to derive user_id (or target) from X-Subject-Token so that at check(rule, target, creds, exc=None, *args, **kwargs) method can evaluate policy on a target.