search

a-langer / nexus-sso

Single Sign-On patch for Nexus OSS
Eclipse Public License 1.0
66 stars 15 forks source link

how to reset or remove user token #28

Closed dni-coder closed 1 month ago

dni-coder commented 1 month ago

Hello,

when a user is deactivated via sso, the user token is still valid. How is it possible to reset or remove this user token to be invalid?!

Regards David

a-langer commented 1 month ago

You need to deactivate the user not only in the identity provider, but also in the Nexus app itself. This is the logic of revoking rights when authorizing through third-party identity providers, see https://help.sonatype.com/en/saml.html#revoking-user-access:

Note that SAML does not allow notification of downstream systems when a user in the identity provider is deactivated. However, as soon as a user is deactivated in the identity provider, they will not be able to log into Sonatype Nexus Repository using SAML.

If these users have user tokens, those will remain present in Sonatype Nexus Repository.

The user's status when authorizing using tokens is checked by an SQL query in shiro.ini#L76