search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 727 forks source link

[Intermittently] Session Expiry Issue When Removing More Than Two Users Sequentially from a Group #18761

Closed NilukaSripalim closed 1 day ago

NilukaSripalim commented 10 months ago

Describe the issue: After adding more than two users to a group, attempting to remove more than two users from the group sequentially results in a session expiry.

How to reproduce:

  1. Add more than two users to a group.
  2. Sequentially attempt to remove more than two users from the group.

Expected behavior: The removal of users from the group should not result in a session expiry.

Environment information (Please complete the following information; remove any unnecessary fields) :

group-session.webm

ZiyamSanthosh commented 10 months ago

Analysis

  1. The issue is not related to deleting multiple users deletion. It occurs during an attempt to delete the admin user from an existing group.
  2. When the admin user is removed from a group, all the tokens related to the admin user is getting revoked. Hence, the session will get expired and the admin gets logged out from the console.
  3. This is an expected behaviour in our current architecture where all tokens related to a user will be revoked after the user gets removed from the group. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/ae84cb940422ec0b60e1c697cd6f5ddfda3e8348/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java#L779

The tokens are being revoked since the tokens will have the scopes mapped to relevant permissions which could have been assigned to the user by adding the user to the specific group. To remove those permissions, all the active tokens are being revoked.

Hence this behaviour is expected, reducing the priority of the issue. Further discussed has to be conducted.

FYI @hasanthiP

ZiyamSanthosh commented 10 months ago

Observations in IS 6.1

Consider that the admin user has logged in to the console.

  1. If the admin user is removed from a group, the token is revoked. Hence the session gets expired and the user gets logged out.
  2. If the admin user is removed from a role, the token is revoked. Hence the session gets expired and the user gets logged out.

Observations in IS 7.0

  1. Same behaviour is restored for user removal from a group scenario.
  2. The session does not get expired when the admin is removed from a role.

Fix for this issue: Even through the implementation to terminate the session is already implemented with [1], the relevant events are not subscribed for the event handler.

Issue [2] has been created to track this issue.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2198 [2] https://github.com/wso2/product-is/issues/18813

DMHP commented 10 months ago

Ideally, none of the tokens should be invalidated when an admin user is removed from a certain group. However, when a user's groups are updated, all of the tokens are revoked due to the way we have implemented this. It appears that after the user and group roles are separated, the token revocation process is not being handled correctly. We need to fix this with a proper evaluation.

isharak commented 1 day ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!