You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/api/jwt/refresh not correctly returning SSO sessions
Description
A customer reported an issue where the Admin User view of sessions was not displaying any sessions for User A, yet User A was able to login via SSO (from previously established SSO session).
This behavior stems from /api/jwt/refresh not correctly returning active SSO refresh tokens.
Affects versions
up to 1.47.1
Steps to reproduce
Steps to reproduce the behavior:
Set up a tenant and application
Under tenant settings,
set OAuth Session timeout to something long, like 2 days
set JWT settings to something much shorter, like 3 minutes JWT and 4 minutes Refresh Token
No need to override JWT settings in the application
Log the user into this application when the keep me logged in box checked
Verify 2 sessions are displayed under /admin/user/manage/{userId}. One for the refresh token and one for Single sign-on.
Correspondingly, an api request to /api/jwt/refresh?userId={userId} returns two tokens for this user
Wait 4 minutes
Now you will not see any sessions displayed under /admin/user/manage/{userId}
Similarly, /api/jwt/refresh?userId={userId} does not return any tokens for this user.
However, the user can still login to the application without a password.
Expected behavior
After 4 minutes, you should still see the Single sign-on session displayed under /admin/user/manage/{userId}.
A call to /api/jwt/refresh?userId={userId} should return the SSO token that does not have the applicationId.
Screenshots
Platform
OS: macOS
Browser: Brave
Database: PostgresSQL
Release Notes
When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.
The text was updated successfully, but these errors were encountered:
bhalsey
changed the title
Admin view of user sessions not always displaying SSO sessions
/api/jwt/refresh not correctly returning SSO sessions
Oct 2, 2023
/api/jwt/refresh not correctly returning SSO sessions
Description
A customer reported an issue where the Admin User view of sessions was not displaying any sessions for User A, yet User A was able to login via SSO (from previously established SSO session).
This behavior stems from
/api/jwt/refresh
not correctly returning active SSO refresh tokens.Affects versions
up to 1.47.1
Steps to reproduce
Steps to reproduce the behavior:
/admin/user/manage/{userId}
. One for the refresh token and one for Single sign-on./api/jwt/refresh?userId={userId}
returns two tokens for this user/admin/user/manage/{userId}
/api/jwt/refresh?userId={userId}
does not return any tokens for this user.Expected behavior
After 4 minutes, you should still see the Single sign-on session displayed under
/admin/user/manage/{userId}
.A call to
/api/jwt/refresh?userId={userId}
should return the SSO token that does not have the applicationId.Screenshots
Platform
Release Notes
When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.
The text was updated successfully, but these errors were encountered: