Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/api/jwt/refresh not correctly returning SSO sessions #2489

Closed
bhalsey opened this issue Oct 2, 2023 · 1 comment
Closed

/api/jwt/refresh not correctly returning SSO sessions #2489

bhalsey opened this issue Oct 2, 2023 · 1 comment
Assignees
@bhalsey
Labels
bug Something isn't working
Projects
FusionAuth Issues
Milestone
1.48.0

Comments

@bhalsey
Copy link

bhalsey commented Oct 2, 2023
edited by robotdan

/api/jwt/refresh not correctly returning SSO sessions

Description

A customer reported an issue where the Admin User view of sessions was not displaying any sessions for User A, yet User A was able to login via SSO (from previously established SSO session).

This behavior stems from /api/jwt/refresh not correctly returning active SSO refresh tokens.

Affects versions

up to 1.47.1

Steps to reproduce

Steps to reproduce the behavior:

  1. Set up a tenant and application
  2. Under tenant settings,
    • set OAuth Session timeout to something long, like 2 days
    • set JWT settings to something much shorter, like 3 minutes JWT and 4 minutes Refresh Token
  3. No need to override JWT settings in the application
  4. Log the user into this application when the keep me logged in box checked
  5. Verify 2 sessions are displayed under /admin/user/manage/{userId}. One for the refresh token and one for Single sign-on.
  6. Correspondingly, an api request to /api/jwt/refresh?userId={userId} returns two tokens for this user
  7. Wait 4 minutes
  8. Now you will not see any sessions displayed under /admin/user/manage/{userId}
  9. Similarly, /api/jwt/refresh?userId={userId} does not return any tokens for this user.
  10. However, the user can still login to the application without a password.

Expected behavior

After 4 minutes, you should still see the Single sign-on session displayed under /admin/user/manage/{userId}.
A call to /api/jwt/refresh?userId={userId} should return the SSO token that does not have the applicationId.

Screenshots

Screenshot 2023-10-02 at 4 25 51 PM Screenshot 2023-10-02 at 4 34 41 PM

Platform

  • OS: macOS
  • Browser: Brave
  • Database: PostgresSQL

Release Notes

When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.
@bhalsey bhalsey changed the title Admin view of user sessions not always displaying SSO sessions /api/jwt/refresh not correctly returning SSO sessions Oct 2, 2023
@bhalsey bhalsey added the bug Something isn't working label Oct 6, 2023
@bhalsey bhalsey self-assigned this Oct 6, 2023
@robotdan robotdan added this to Backlog in FusionAuth Issues via automation Oct 10, 2023
@robotdan robotdan removed this from Backlog in FusionAuth Issues Oct 10, 2023
@bhalsey bhalsey added this to the 1.48.0 milestone Oct 10, 2023
@bhalsey
Copy link
Author

bhalsey commented Oct 10, 2023

Internal:

@bhalsey bhalsey added this to Backlog in FusionAuth Issues via automation Oct 10, 2023
@bhalsey bhalsey moved this from Backlog to Reviewer approved in FusionAuth Issues Oct 10, 2023
@robotdan robotdan moved this from Reviewer approved to Code complete in FusionAuth Issues Oct 11, 2023
@andrewpai andrewpai mentioned this issue Oct 25, 2023
Open
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Oct 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bhalsey bhalsey

Labels
bug Something isn't working
Projects
FusionAuth Issues
  
Delivered
Milestone
1.48.0
Development

No branches or pull requests
2 participants
@bhalsey @robotdan