Comment 0 for bug 1490804
Revision history for this message
| Liusheng (liusheng) wrote Token Revocation Bypass | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://