2023.1 Series Release Notes


New Features

  • A new option ‘randomize_urls’ can be used to randomize the order in which keystone connects to the LDAP servers in [ldap] ‘url’ list. It is false by default.


Bug Fixes

  • Passwords that are hashed using bcrypt are now truncated properly to the maximum allowed length by the algorythm. This solves regression, when passwords longer then 54 symbols are getting invalidated after the Keystone upgrade.


New Features

  • [blueprint support-oauth2-mtls] Provide the option for users to proof-of-possession of OAuth 2.0 access token based on RFC8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. Users can now use the OAuth 2.0 Access Token API to get an OAuth 2.0 certificate-bound access token from the keystone identity server with OAuth 2.0 credentials and Mutual-TLS certificates. Then users can use the OAuth 2.0 certificate-bound access token and the Mutual-TLS certificates to access the OpenStack APIs that use the keystone middleware to support OAuth 2.0 Mutual-TLS client authentication.

Security Issues

  • Passwords will now be automatically truncated if the max_password_length is greater than the allowed length for the selected password hashing algorithm. Currently only bcrypt has fixed allowed lengths defined which is 54 characters. A warning will be generated in the log if a password is truncated. This will not affect existing passwords, however only the first 54 characters of existing bcrypt passwords will be validated.

  • [bug 1992183] [CVE-2022-2447] Tokens issued with application credentials will now have their expiration validated against that of the application credential. If the application credential expires before the token the token’s expiration will be set to the same expiration as the application credential. Otherwise the token will use the configured value.