mark JWT as invalid at /logout #187
Comments
|
Vouch Proxy is the issuer of the jwt which is carried in the cookie. The There is no outside validation of the jwt, even though that jwt may contain sub tokens derived from an IdP. Those sub tokes are not validated. It would be onerous to do such on each request. Your best bet is to to keep |
|
Thank you very much for the quick reply and clarification. That makes sense. I was traveling down the wrong path of attempting to use vouch's user authentication for session management. related |
|
Thanks, that link has good advice IMHO. You can always immediately invalidate all tokens by changing the |
|
Microsoft adds a random guid to every issued token, I think it's in the The list would be kept relatively small since you can clear the items after the set max age. The flow could then be:
I'm not saying this is the best way to go, this is just how it could be implemented without much speed decrement. By keeping this optional users could choose to turn this on. When deploying multiple instances of VouchProxy with the same key, you will need some sort of distributed place to store the revoked keys, like redis. |
Describe the problem
After logging out, you can still pass vouch's validate handler with the captured cookie.
Expected behavior
vouch should not allowed a logged out session to re-use a cookie to log in.
Additional context
Steps to replicate
-- easiest method is using developer console in chrome and just copy the whole request to curl
Run the curl command that has the captured cookie.
This bit of code
https://github.com/vouch/vouch-proxy/blob/master/handlers/handlers.go#L98
will see the valid jwt in the cookie and the request will pass vouch's /validate handler
I think the crux of the problem is that vouch doesn't validate the jwt with the issuer. It is just looks for a jwt and is happy when it finds one.
The text was updated successfully, but these errors were encountered: