ziti icon indicating copy to clipboard operation
ziti copied to clipboard

Published 20 hours ago verified publisher icon openziti

Service list/online status not updated after authenticator delete

Open nf-npieros opened this issue 3 years ago • 8 comments

When an enrolled identity's authenticator is deleted (via a re-enroll) the desktop client does not refresh the identity's online status or service list.

Steps to reproduce: create an identity and give it access to one or more service enroll the identity via the desktop client verify the service details show up in the desktop client re-enroll the authenticator to delete the current authenticator and generate a new enrollment

At this point, the desktop client will continue to show the services for the identity and continue to show it as enrolled until the user either manually restarts the desktop client or something else triggers a refresh.

nf-npieros avatar Oct 20 '22 22:10 nf-npieros

Hi @nf-npieros - Can you tell me the steps you take to "re-enroll the authenticator"?

smilindave26 avatar Oct 20 '22 23:10 smilindave26

Hi Dave, I'm currently doing this through the MOP, which in turn is using the /authenticators/{id}/re-enroll ziti edge endpoint. The MOP api changes to allow re-enrolls should available in the lower environments.

I'm not sure if re-enroll is exposed via the CLI but doing ziti edge delete authenticator <id> should yield the same result for the purposes of debugging. The only difference should be that delete authenticator won't create a new enrollment which shouldn't matter for this issue.

nf-npieros avatar Oct 20 '22 23:10 nf-npieros

Thanks. If at step 1 you delete the identity from ZDE does everything work as expected (or "forget" the identity from ZME)?

smilindave26 avatar Oct 20 '22 23:10 smilindave26

If I remove the identity from the desktop edge it still works ask expected. However, if the identity is left in the desktop edge prior to the authenticator being deleted the UI will not automatically be refreshed like it would for something like a change to a service.

nf-npieros avatar Oct 21 '22 00:10 nf-npieros

Thanks. It looks like the api-session remains valid after the authenticator was deleted. I'll let it sit until the api-session expires to see what happens, but there was no message logged at ZDE indicating any change. I'll check with @andrewpmartinez to see what behavior is expected (e.g., should the existing session have been deleted).

smilindave26 avatar Oct 21 '22 01:10 smilindave26

Ok, let me know what ends up happening with the session. From my testing I was seeing that once the authenticator is deleted I can no longer use my services but I hadn't looked at the api session in ziti.

nf-npieros avatar Oct 21 '22 01:10 nf-npieros

If the authenticator is being effectively revoked (by being replaced) it makes sense that all API sessions tied to that authenticator be removed. I do understand that this makes it interesting for clients because they will randomly lose their API session. However, we need to handle this as admins can randomly delete API sessions as well.

andrewpmartinez avatar Oct 21 '22 02:10 andrewpmartinez

Once the api-session expired the status was correctly updated in ZDE. I'm going to move this issue to the edge repo

smilindave26 avatar Oct 21 '22 12:10 smilindave26

This functionality refers to legacy authentication (i.e. non-OIDC). OpenZiti is moving to a new authentication model where this issue is handled differently (through revocations) that can be issued.

Closing due to end-of-life support for legacy authentication.

andrewpmartinez avatar Jul 24 '24 15:07 andrewpmartinez