Open zackriso opened 2 years ago
pethron
commented
2 years ago Currently, that's expected behavior because the MFA token has a duration itself, and we leverage that to ask for it the least number of times. However, I think it's an excellent suggestion for the "logout" action to make this behavior selectable (and remember the option for changing Leapp behavior). I'll label this as "enhancement." Thank you very much!
zackriso
commented
2 years ago Thanks for your feedback.
The way I understand it, Logout means "clear all sessions, active or inactive, including the MFA tokens". Otherwise, we are decreasing the security advantage of having 2FA in the first place :)
Most, if not all other tools I used, do invalidate everything, and 2FA has to be re-entered again. But I like the idea of letting the user decide on their own what level of security or what is their intention.
Currently, I have no way to tell leapp forget my sessions other than by deleting the actual account.
Describe the bug The IAM Role Chained session, which has 2FA activated, does not flush the existing/active sessions after using the "Logout" button.
Leapp Version version 0.8.1
To Reproduce
Expected behavior I would expect Leapp to ask me for entering my 2FA again, since I explicitly asked to clear my session by doing "Logout" from Leapp's menu. This is similar to a Logout link, which should delete all cookies, JWTs, and so on, so the user has to re-authenticate from scratch, including in this case entering their 2FA again.
Desktop (please complete the following information): Linux kali 5.14.0-kali4-amd64 #1 SMP Debian 5.14.16-1kali1 (2021-11-05) x86_64 GNU/Linux
Additional context It seems that Assume-Role is re-run again, and obtains new STS tokens, however without asking for entering 2FA again.