PKI-Revoke
Changes to support revocation of PKI tokens
- Revoked tokens must be recorded, not merely removed from the tokens backend. To effect this there are two choices:
- Add an additional column in the database: revoked.
- Change the authenticate code to check for revoked status. Attemptes to authenticate using a revoked token will raise exception.Unauthorized()
- Create an additional table: revoked_tokens. Revoked tokens will be removed from the tokens table just as they are now, and added to the revoked_tokens table.
- Either way, at token timeout, the tokens will be removed from the table.
- Once revoked, a token cannot be unrevoked.
- The Keystone server will expose a list of revoked tokens exposed in an URL.
- GET /tokens/revoked/
- Only exposed on the admin port.
- This is to prevent a race condition attack where a user finds out about a revoked token and attempts to use it before the services
- Services runnning auth_token middleware will query the Revocation list on a simple schedule.
- The time out will be a configuration option.
- The revocation list be a signed CMS document
- The body of the revocation list will be the id_hash values of the tokens.
- If a token authentication request comes in to the auth_token middle and the service does not have a recent revocation list, it is fetched from keystone.
- If the Keystone server cannot be reached, authentication will fail.
- Future enhancements:
- wait a random amount of time and then requery the Keystone server.
- Support as set of Keystone servers where the policy for revocation checking can vary per server.
- Support a setup where a subset of the Keystone serversare not be directly accessible. In those cases, one Keystone server can proxy the revocation list for another server.