Details
-
Task
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
-
1
-
M
Description
With the identity integration, we did not originally scope logging out. We should implement this in the expected way with identity, using the refresh tokens. Specifically, when refreshing a token, using the response from identity to determine whether or not the Optimize Cookie should be refreshed. To do this while reusing the existing Optimize token logic, we would need to:
- have the token lifetime configured to match Identity (default in Identity is five minutes, but is also configurable)
- Store the refresh token as a claim on the JWT cookie used by Optimize
- Use identity to refresh the token when it's near or has expired
Justification:
Makes Optimize consistent with other cloud products and aligns us with the expected behaviour of Identity
Note:
- This should be backported to the 3.9 maintenance branch
This is an important feature to test very thoroughly as it relates to authentication/security
Testing notes:
- If a user is logged out of Identity, the Optimize token does not get refreshed and the user session is invalidated
- When checking for cookie refresh, the token is refreshed with Identity if it has expired. If it fails, the session is invalidated
- The refresh token is a claim on the Optimize cookie JWT
- If the renewal of tokens with identity fails, the user should no longer have access to Optimize
- If a users Identity token expires (by default after 5 mins) but they still have an Optimize cookie, the refresh with identity should result in a new Optimize cookie being set
- If a user logs in to Optimize and has authorization for the application, but then authorization is revoked, the user should lose access to Optimize during token verification/refresh
mgm-controller-panel
This is the controller panel for Smart Panels app
Attachments
Issue Links
- is related to
-
-
- Done
-