Closed timonegk closed 8 months ago
ftsell
commented
9 months ago I see caching for the Auth-Tokens: is it checked to revoke the tokens if the user changes his password or perform a logout on the central SSO?
Those are tokens not issued for a user but to the application itself (sometimes its called service account authentication). There is no user involved who can change their password.
Akasch
commented
9 months ago I haven't looked into it, but i quit often see that a logout on the central SSO platform or a password change there does not invalidate active sessions in the applications that have an ongoing session for the user. This leads to the problem if the User has the password stolen and the attacker was authenticated he can not invalidate existing sessions.
timonegk
commented
9 months ago As Finn said, the caching here is only about bitpoll's token required to request the users in a group.
However, your point about SSO login is probably still valid. @ftsell do you know how we handle that or if we should change something in the simple_openid_connect library to make sure that a token is still valid?
ftsell
commented
9 months ago However, your point about SSO login is probably still valid. @ftsell do you know how we handle that or if we should change something in the simple_openid_connect library to make sure that a token is still valid?
Hmm good question :thinking: I haven't verified this extensively but what I think is happening is that the mechanism here is two-fold:
simple_openid_connect (technically only for frontchannel logout notifications) but also needs to be configured in keycloak.simple_openid_connect and yes, I think we should implement it. I have created a corresponding issue: https://github.com/fsinfuhh/py_simple_openid_connect/issues/10
I see caching for the Auth-Tokens: is it checked to revoke the tokens if the user changes his password or perform a logout on the central SSO?