Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages #21897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 2 commits into from
Jul 26, 2023
Merged

Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages #21897

mposolda merged 2 commits into from
Jul 26, 2023

Conversation

@rmartinc
Copy link
Contributor

@rmartinc rmartinc commented Jul 24, 2023

Closes #10232

Main points:

  • There is a macro that to include the logout other sessions checkbox to the needed ftl pages.
  • The login-recovery-authn-code-config.ftl has been modified a bit to make both check-boxes (the previous confirmation box and the new logout other sessions input) look the same.
  • Now all the actions calls a static method logoutOtherSessions if the form parameter logout-sessions is passed to on.
  • Tests added for each action: totp, webauthn and recovery codes.
  • The previous test BackwardsCompatibilityUserStorageTest needs changes because it registers totp with a session created before. So the test failed as the previous sessions was removed now.

@mposolda I have not modified the update email action as it was mentioned this way in the issue. But we can do the same for that action. The new account console also uses an AIA to update the user email, so I think it would be exactly the same.

@rmartinc rmartinc requested review from a team as code owners July 24, 2023 06:34
@rmartinc rmartinc requested a review from a team July 24, 2023 06:34
@rmartinc rmartinc requested a review from a team as a code owner July 24, 2023 06:34
@mposolda
Copy link
Contributor

mposolda commented Jul 25, 2023

@rmartinc Looks great, Thanks!

My vote would be to just add this to UpdateEmail action as well as it should be covered as well.

@rmartinc
Copy link
Contributor Author

rmartinc commented Jul 26, 2023

@mposolda Adding the checkbox to the update email was not so direct as I thought. It seems that if the email needs to be verified in the realm, it needs to be verified at change too (ensuring I'm the owner of the previous email). So there is a second case in which the logout sessions should be postponed to the time when the email is verified (I think it makes no sense doing the logout before when the email is sent). I have created a second commit instead of squashing the PR, I think it's easier to review this way. I can do it different if you think this is not the best option, or we can just remove the email part (second commit). CI worked yesterday in my branch.

mposolda
mposolda approved these changes Jul 26, 2023
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmartinc Thanks for the updates. Your changes look correct to me and I am approving this. Hopefully tests are ok. Will squash the commits during merge.

@mposolda mposolda self-assigned this Jul 26, 2023
@mposolda mposolda merged commit ee35cfe into keycloak:main Jul 26, 2023
rmartinc added a commit to rmartinc/keycloak that referenced this pull request Jul 26, 2023
@rmartinc
Add logout other sessions checkbox to TOTP, webauthn and recovery aut…
a577133 
…hn codes setup pages (keycloak#21897)

* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes keycloak#10232
@rmartinc rmartinc mentioned this pull request Jul 26, 2023
Merged
mposolda pushed a commit that referenced this pull request Jul 28, 2023
@rmartinc @mposolda
Add logout other sessions checkbox to TOTP, webauthn and recovery aut…
7530526 
…hn codes setup pages (#21897)

* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes #10232
This was referenced Sep 4, 2023
Closed
Closed
Closed
@moritzschmitz-oviva
Copy link

moritzschmitz-oviva commented Sep 26, 2023

@mposolda May I ask here if the offline session token are invalidated as well?

@rmartinc
Copy link
Contributor Author

rmartinc commented Sep 26, 2023

@moritzschmitz-oviva I would say that no, the method that is called is getUserSessionsStream, not getOfflineUserSessionsStream to obtain the sessions to logout.

@moritzschmitz-oviva
Copy link

moritzschmitz-oviva commented Sep 27, 2023

@moritzschmitz-oviva I would say that no, the method that is called is getUserSessionsStream, not getOfflineUserSessionsStream to obtain the sessions to logout.

Was there a reason to not also invalidate them?

@stianst stianst mentioned this pull request Nov 14, 2023
Closed
@stianst stianst mentioned this pull request May 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

Assignees

@mposolda mposolda

Labels

team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Kill sessions after a password reset or MFA modification

3 participants

@rmartinc @mposolda @moritzschmitz-oviva