Open Rfaering opened 1 month ago
When you copy the authentication cookie to Postman, and call /.auth/me, even after 30 days. You are still given the user role authenticated.
You can also call all API endpoints for functions attached to the static web app.
To Reproduce Steps to reproduce the behavior:
This is the configuration used
{ "routes": [ { "route": "/*", "allowedRoles": ["Authenticated"] } ], "responseOverrides": { "401": { "statusCode": 302, "redirect": "/.auth/login/aad" } }, "auth": { "identityProviders": { "azureActiveDirectory": { "registration": { "openIdIssuer": "https://login.microsoftonline.com/x/v2.0", "clientIdSettingName": "AZURE_CLIENT_ID", "clientSecretSettingName": "AZURE_CLIENT_SECRET" } } } } }
And this is the response you get from postman, it seem like all claim information etc are not present anymore, but you still have the userRoles.
{ "clientPrincipal": { "identityProvider": "aad", "userId": "x", "userDetails": "x", "userRoles": [ "authenticated", "anonymous" ] } }
Is this the intended behavior? If someone should get a hold of the cookie, it seems like a security issue.
Expected behavior The user is logged out and will have to login in again
When you copy the authentication cookie to Postman, and call /.auth/me, even after 30 days. You are still given the user role authenticated.
You can also call all API endpoints for functions attached to the static web app.
To Reproduce Steps to reproduce the behavior:
This is the configuration used
And this is the response you get from postman, it seem like all claim information etc are not present anymore, but you still have the userRoles.
Is this the intended behavior? If someone should get a hold of the cookie, it seems like a security issue.
Expected behavior The user is logged out and will have to login in again