Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Group Syncing - PATs don't update permissions until login #4870

Closed
sebastian-bury opened this issue Sep 29, 2023 · 4 comments
Closed

SSO Group Syncing - PATs don't update permissions until login #4870

sebastian-bury opened this issue Sep 29, 2023 · 4 comments
Labels
bug stale

Comments

@sebastian-bury
Copy link
Contributor

Describe the bug

If you set up SSO Group Syncing and a user creates a PAT, if the users' group permissions change from the SSO provider side the PAT continues to have the old permissions until the user logs in again when group permissions are synced again.
This is a security concern because if a user loses permissions they can continue to access things through their PAT.

Steps to reproduce the bug

  1. have SSO Group syncing set up in your instance
  2. create a user with some permissions based on groups
  3. have the user create a PAT and logout
  4. update group permissions from SSO provider
  5. have user to continue using the PAT to access projects/things they shouldn't have now that the groups have been updated in the AD group (can also see the user staying in the group in Unleash until they log in again)

Expected behavior

User permissions are updated in some way so PATs don't continue to have permission they shouldn't have. Not sure exactly how this would work/can be solved, might be a periodic check on user groups or something like that.

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

No response

Subscription type

Enterprise

Hosting type

None

SDK information (language and version)

No response
@stale
Copy link

stale bot commented Oct 29, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 29, 2023
@stale stale bot closed this as completed Nov 8, 2023
@stale stale bot removed the stale label Dec 13, 2023
@ivarconr
Copy link
Member

ivarconr commented Jan 9, 2024

we have decided to address this by looking in to support for SCIM

@stale Stale
Copy link

stale bot commented Feb 8, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Feb 8, 2024
@ivarconr
Copy link
Member

I will close this issue as we have to start the scim imitative in Q1 2024.
#6220

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stale
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ivarconr @gastonfournier @sebastian-bury