OpenStack Keystone versions prior to 29.0.2 contain an authorization flaw in the federated token rescoping process. Specifically, when a federated user rescopes a token via the POST /v3/auth/tokens endpoint, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at field. Consequently, the token provider issues a new token with a default time-to-live rather than respecting the original token's expiry. This allows users to repeatedly rescope tokens before expiration, effectively bypassing operator-configured token lifetime restrictions and maintaining indefinite access. The vulnerability affects federated identity deployments using SAML2 or OpenID Connect and is classified under CWE-863 (Incorrect Authorization).

An attacker with federated identity credentials can bypass token lifetime policies by repeatedly rescoping tokens, enabling indefinite access to OpenStack Keystone services. This undermines the intended security controls on token expiration and session duration, potentially leading to prolonged unauthorized access. The impact includes partial confidentiality, integrity, and availability loss as indicated by the CVSS vector, but no known exploits are reported in the wild.

Patch status is not yet confirmed — check the OpenStack vendor advisory for current remediation guidance. Until an official fix is available, operators should monitor federated token usage patterns and consider additional compensating controls to limit token rescoping frequency or enforce session expiration externally. No vendor advisory or patch links are currently provided.