smilindave26
commented
1 year ago Hi @nf-npieros - Can you tell me the steps you take to "re-enroll the authenticator"?
Closed nf-npieros closed 1 month ago
smilindave26
commented
1 year ago Hi @nf-npieros - Can you tell me the steps you take to "re-enroll the authenticator"?
nf-npieros
commented
1 year ago Hi Dave, I'm currently doing this through the MOP, which in turn is using the /authenticators/{id}/re-enroll ziti edge endpoint. The MOP api changes to allow re-enrolls should available in the lower environments.
I'm not sure if re-enroll is exposed via the CLI but doing ziti edge delete authenticator <id> should yield the same result for the purposes of debugging. The only difference should be that delete authenticator won't create a new enrollment which shouldn't matter for this issue.
smilindave26
commented
1 year ago Thanks. If at step 1 you delete the identity from ZDE does everything work as expected (or "forget" the identity from ZME)?
nf-npieros
commented
1 year ago If I remove the identity from the desktop edge it still works ask expected. However, if the identity is left in the desktop edge prior to the authenticator being deleted the UI will not automatically be refreshed like it would for something like a change to a service.
smilindave26
commented
1 year ago Thanks. It looks like the api-session remains valid after the authenticator was deleted. I'll let it sit until the api-session expires to see what happens, but there was no message logged at ZDE indicating any change. I'll check with @andrewpmartinez to see what behavior is expected (e.g., should the existing session have been deleted).
nf-npieros
commented
1 year ago Ok, let me know what ends up happening with the session. From my testing I was seeing that once the authenticator is deleted I can no longer use my services but I hadn't looked at the api session in ziti.
andrewpmartinez
commented
1 year ago If the authenticator is being effectively revoked (by being replaced) it makes sense that all API sessions tied to that authenticator be removed. I do understand that this makes it interesting for clients because they will randomly lose their API session. However, we need to handle this as admins can randomly delete API sessions as well.
smilindave26
commented
1 year ago Once the api-session expired the status was correctly updated in ZDE. I'm going to move this issue to the edge repo
andrewpmartinez
commented
1 month ago This functionality refers to legacy authentication (i.e. non-OIDC). OpenZiti is moving to a new authentication model where this issue is handled differently (through revocations) that can be issued.
Closing due to end-of-life support for legacy authentication.
When an enrolled identity's authenticator is deleted (via a re-enroll) the desktop client does not refresh the identity's online status or service list.
Steps to reproduce: create an identity and give it access to one or more service enroll the identity via the desktop client verify the service details show up in the desktop client re-enroll the authenticator to delete the current authenticator and generate a new enrollment
At this point, the desktop client will continue to show the services for the identity and continue to show it as enrolled until the user either manually restarts the desktop client or something else triggers a refresh.