Open austindonnelly opened 3 months ago
@austindonnelly Yes, I'm guessing the token contains permission information. The PIM-activate changes the permissions granted to identities in the group, which effectively makes the permission information in the token out-of-date. I can see a manual token refresh being useful.
I don't think a full auth reset should be necessary, though. Can you just sign out and sign back in?
Yes, that works (Remove account, Re-add account). But that's quite heavyweight compared to what I really would like, which is a "Refresh token" menu option.
Preflight Checklist
Storage Explorer Version
1.34.0 (99)
Regression From
No response
Architecture
x64
Storage Explorer Build Number
20240523.2
Platform
Windows
OS Version
Windows 11 24H2
Bug Description
Our RBAC config for a storage account grants Storage Queue Data Reader role permanently to a group, called QueueReaders - this is for normal monitoring use. If we need to edit the queue, we require users to PIM-activate into membership of a group called QueueWriters. The QueueWriters group is permanently granted Storage Queue Data Contributor access to the storage account, but normally has zero members until someone PIM activates their membership.
This works, but there's a long delay between activating group membership, and being able to operate on the queue in Storage Explorer. This can be sped up by going Help > Reset and resetting the authentication. This then forces a reconnect via the normal Account Management flow, and has the side-effect to getting a new user token.
The user JWT token lists the group memberships as part of the token, so I imagine that the token gets cached, and the effect of elevation isn't seen until the token is refreshed.
Would it be possible to have a "Refresh token" option in the menu somewhere, so we can get a new token faster?
Repro steps:
Steps to Reproduce
Actual Experience
Delete queue message fails with a permission denied type error
Expected Experience
Delete queue message should succeed.
Additional Context
No response