Skip to content

invalidate web UI tokens after logout #3493

New issue
New issue
Open
Open
invalidate web UI tokens after logout#3493
Assignees
ramondeklein
Labels
communitytriage
@aead

Description

@aead
aead
opened on Jan 13, 2025

Expected Behavior

After logging in using access credentials, the user is able to perform an explicit log-out.
This should invalidate the JWT token such that no other API operations are possible.

Current Behavior

After logout the user can still perform arbitrary API operations using its token. Hence, the token is not
invalidated.

Possible Solution

Console should issue a delete for the session token to MinIO when the user logs out.

Steps to Reproduce (for bugs)

  1. Login to the web UI
  2. Copy the JWT token - e.g. via the developer console
  3. Issue a curl request (e.g. S3 GET) using the token

Context

Security

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

communitytriage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions