Open Stack

Seems like horizon login page should take as input a "scope",  domain (and even project possibly) to avoid such an issue.
Users are supposed to be unique per domain.

Then we could enforce any subsequent token creation to the domain and
project of the current token. So no more or less harm than the token
already leaked.

Further, we could limit horizon admin uses to only "read-only" on other
domains/projects.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1299039

Title:
  Token Scoping

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  In Havana Stable release for both V2.0 an V3,

  A scoped token can be used to get another scoped or un-scopped token.
  This can be exploited by anyone who has gained access to  a scoped
  token.

  For example,

  1. userA is related to two projects: Project1, Project2
  2. userA creates  tokenA scoped by Project1
  3.  userA  shares the tokenA to a third party (malicious).  
  4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.

  Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure. 
  A scoped token should not be allowed to create another scoped token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions