-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Session change without session token #7883
Comments
relates to #6099 |
@livio-a, I have 2 questions:
zitadel/docs/docs/guides/integrate/login-ui/_logout.mdx Lines 4 to 7 in 6cf9ca9
As without the token we can't establish the "authenticated user" and the logic falls back to the I have a draft PR here if you want to check what I mean: #7963
|
|
# Which Problems Are Solved The session update requires the current session token as argument. Since this adds extra complexity but no real additional security and prevents case like magic links, we want to remove this requirement. We still require the session token on other resouces / endpoints, e.g. for finalizing the auth request or on idp intents. # How the Problems Are Solved - Removed the session token verifier in the Update Session GRPc call. - Removed the session token from login UI examples session update calls # Additional Changes - none # Additional Context - Closes #7883
🎉 This issue has been resolved in version 2.53.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
The session update and deletion require the current session token as argument.
Since this adds extra complexity but no real additional security and prevents case like magic links, we want to remove this requirement.
We still require the session token on other resouces / endpoints, e.g. for finalizing the auth request or on idp intents.
Acceptance criteria
and deleteendpointThe text was updated successfully, but these errors were encountered: