Fix proposed to branch: master Review: https://review.openstack.org/419693 ** Changed in: keystone Status: Triaged => In Progress ** Changed in: keystone/newton Status: Triaged => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1656076 Title: The keystone server auth pluigin methods could mismatch user_id in auth_context Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: In Progress Status in OpenStack Identity (keystone) newton series: In Progress Status in OpenStack Identity (keystone) ocata series: In Progress Bug description: The keystone server blindly overwrites the auth_context.user_id in each auth method that is run. This means that the last auth_method that is run for a given authentication request dictates the user_id. While this is not exploitable externally without misconfiguration of the external plugin methods and supporting services, this is a bad state that could relatively easily result in someone ending up authenticated with the wrong user_id. The simplest fix will be to have the for loop in the authentication controller (that iterates over the methods) to verify the user_id does not change between auth_methods executed. https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557 This has been marked as public security for hardening purposes, likely a "Class D" https://security.openstack.org/vmt-process.html#incident- report-taxonomy To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions