SSO Group Syncing - PATs don't update permissions until login
sebastian-bury opened this issue · 4 comments
Describe the bug
If you set up SSO Group Syncing and a user creates a PAT, if the users' group permissions change from the SSO provider side the PAT continues to have the old permissions until the user logs in again when group permissions are synced again.
This is a security concern because if a user loses permissions they can continue to access things through their PAT.
Steps to reproduce the bug
- have SSO Group syncing set up in your instance
- create a user with some permissions based on groups
- have the user create a PAT and logout
- update group permissions from SSO provider
- have user to continue using the PAT to access projects/things they shouldn't have now that the groups have been updated in the AD group (can also see the user staying in the group in Unleash until they log in again)
Expected behavior
User permissions are updated in some way so PATs don't continue to have permission they shouldn't have. Not sure exactly how this would work/can be solved, might be a periodic check on user groups or something like that.
Logs, error output, etc.
No response
Screenshots
No response
Additional context
No response
Unleash version
No response
Subscription type
Enterprise
Hosting type
None
SDK information (language and version)
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.