jans icon indicating copy to clipboard operation
jans copied to clipboard
verified publisher icon JanssenProject

fix(admin-UI): Admin UI Does Not Revoke User Session Token Upon Logout

Open mzico opened this issue 6 months ago • 6 comments

"How to" document attached below. Please test in latest release.

Admin UI does not revoke the user session token when the sign-out operation is performed.pdf

mzico avatar Jul 01 '25 19:07 mzico

i tried this one with chrome replay xhr option but not able reproduce in nightly built i ll try with burpsuit

manojs1978 avatar Jul 03 '25 08:07 manojs1978

Hi this is replicable in v5.9.0 or 1.9.0

https://github.com/user-attachments/assets/d3b4a13d-99ab-443c-aa1d-267b98f314e7

quer0016 avatar Aug 04 '25 09:08 quer0016

@duttarnab please have look

manojs1978 avatar Aug 09 '25 06:08 manojs1978

hey could you please share the issue

vivekkumarrathour avatar Oct 30 '25 10:10 vivekkumarrathour

Hi team, I can confirm that the issue is still present.

quer0016 avatar Dec 02 '25 10:12 quer0016

As shown in the attached video, the customer is intercepting a user-creation request and successfully executing it multiple times with different parameters (such as username, email, etc.). This repeated execution is allowed until the Config API authorization token expires (15 minutes). The customer has raised concerns about this behavior.

Admin UI is not a public internet–facing application. It is expected to be protected by a firewall, so for requests from Admin UI to the Config API we are not expecting such testing.

  1. If we really want to fix this, then we would need to support transaction token (tx_token) in the Config API or some similar technique. However, this would introduce a performance overhead, as the Admin UI would need to fetch a new tx_token from the Config API before every request. Currently, the Admin UI reuses the same authorization token to access the Config API until it expires.
sequenceDiagram
    Admin UI->>Jans Server: authrization_code
    Jans Server->>Admin UI: access_token
    Admin UI->>Jans Server: access_token
    Jans Server->>Admin UI: user-info JWT
    Admin UI->>Admin UI Backend: user-info JWT
    Admin UI Backend->>Admin UI: Config API token
    Admin UI->>Config API: Config API token + access_token
    Config API->>Admin UI: tx_token (expire_in : 30 secs)
    Admin UI->>Config API: tx_token 
    Config API->>Admin UI: allow to access endpoints
  1. Another simple approach is to reduce the Config API token expiry to 30 seconds so that multiple requests cannot be made using the same token. However, this would introduce a performance issue, as the Admin UI would need to generate a new Config API token before every request.

Currently, the default validity period of the Config API token is 15 minutes, which allows the same token to be reused for API requests during that time. Once the token expires, the Admin UI requests a new token.

cc: @syntrydy @faisalsiddique4400 @moabu @nynymike

duttarnab avatar Dec 19 '25 18:12 duttarnab