Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
There is a need for a new feature that would allow a pre-configured superuser to invalidate previously issued Knox SSO tokens for (a) particular user(s) in case there is a malicious attack in terms of one (or more) of those users' SSO tokens got compromised.
In phase I, the following changes have to be implemented:
- Knox SSO cookie validation using PAM, LDAP, and Pac4j authentication/federation
- The token Management page should be updated in a way such that it'll contain only one compact table with all the information we need of a generated token (is impersonated, is Knox SSO cookie, available actions)
- Knox SSO cookies on the new token management UI can be disabled (invalidated), but not revoked.
- Disabled KnoxSSO cookies should be removed from the underlying token state service within the configure eviction period even if they were not expired
In phase II, the token management page should be updated with the following improvements:
- pre-configured superusers can view tokens of others and not only theirs
- batch operations should be able to be executed using the available actions to make it easier for a superuser to disable one's tokens in a round
Attachments
Issue Links
- causes
-
KNOX-2969 For user-limit to fetch token calculation includes enabled and disabled SSO token count as well, causing failure in generating the JWT token from token gen page
-
- Resolved
-
-
-
- Resolved
-
-
KNOX-2970 During knox global logout , the corresponding SSO token should be either disabled or revoked
-
- Resolved
-
- links to
