Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-6085

Bearer Token isn't killed after user logs out

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.0
    • Fix Version/s: 1.10.0
    • Component/s: Security
    • Labels:
      None

      Description

      I observed that Authorization Bearer token is not invalidated after a logout.

      Steps to produce 

      Step 1: Login to Nifi as usual.

      Step 2: Copy the authorisation bearer token after the login from /nifi-api/access/token response.

      Step 3: Make a request a curl request as below and observe http 200 response is received with status information.

      curl -v -H "Authorization: Bearer <Token>" https://nifi-server/nifi-api/flow/status

      Step 4: Log out from Nifi Console 

      Step 5: Repeat Step 3 and observe again http 200 response is received with status information even though the user has logged out.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thenatog Nathan Gough
                Reporter:
                abdusahin Abdu Sahin
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m