OpenStack Security Advisory

Bug #1873290
Comment #0

Comment 0 for bug 1873290

Revision history for this message

kay (kay-diam) wrote on 2020-04-16: OAuth1 request token authorize silently ignores roles parameter

Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describes users positions.

OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:

$ openstack request token authorize
usage: openstack request token authorize [-h]
                                         [-f {json,shell,table,value,yaml}]
                                         [-c COLUMN] [--noindent]
                                         [--prefix PREFIX]
                                         [--max-width <integer>] [--fit-width]
                                         [--print-empty] --request-key
                                         <request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role

However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.

https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287

As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles.