Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-6085

Bearer Token isn't killed after user logs out

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.5.0
    • 1.10.0
    • Security
    • None

    Description

      I observed that Authorization Bearer token is not invalidated after a logout.

      Steps to produce 

      Step 1: Login to Nifi as usual.

      Step 2: Copy the authorisation bearer token after the login from /nifi-api/access/token response.

      Step 3: Make a request a curl request as below and observe http 200 response is received with status information.

      curl -v -H "Authorization: Bearer <Token>" https://nifi-server/nifi-api/flow/status

      Step 4: Log out from Nifi Console 

      Step 5: Repeat Step 3 and observe again http 200 response is received with status information even though the user has logged out.

       

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-6280 Re-evaluate handling of Authorization bearer token during JWT logout

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #3362

          Activity

            People

              thenatog Nathan Gough
              abdusahin Abdu Sahin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m