Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Put username in refresh token and check usernames match when refreshing a token #129

Open
2 tasks
louise-davies opened this issue Jun 10, 2024 · 1 comment · May be fixed by #134
Open
2 tasks

Put username in refresh token and check usernames match when refreshing a token #129

louise-davies opened this issue Jun 10, 2024 · 1 comment · May be fixed by #134
Labels
bug Something isn't working

Comments

@louise-davies
Copy link
Member

Description:
@VKTB pointed out that currently, any refresh token can refresh any access token, so if a user with a valid refresh token got someone else's access token, they could refresh it and be given a new valid access token with the other user's credentials. We should put the user's username in the refresh token, and then do a check in the refresh endpoint to check if the refresh token's username matches the access token's username before issuing a new access token.

Acceptance criteria:

  • Username is in the payload of a refresh token
  • Refresh tokens can only refresh access tokens which match their username
@louise-davies louise-davies added the bug Something isn't working label Jun 10, 2024
@louise-davies
Copy link
Member Author

We should also maybe check they're still a valid user via LDAP...

VKTB added a commit that referenced this issue Nov 8, 2024
@VKTB
Check usernames in tokens match before refreshing access token #129
c80ac0c
@VKTB VKTB linked a pull request Nov 8, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Port API to FastAPI #133 ral-facilities/scigateway-auth
1 participant
@louise-davies