Service list/online status not updated after authenticator delete #1610
Comments
|
Hi @nf-npieros - Can you tell me the steps you take to "re-enroll the authenticator"? |
|
Hi Dave, I'm currently doing this through the MOP, which in turn is using the I'm not sure if re-enroll is exposed via the CLI but doing |
|
Thanks. If at step 1 you delete the identity from ZDE does everything work as expected (or "forget" the identity from ZME)? |
|
If I remove the identity from the desktop edge it still works ask expected. However, if the identity is left in the desktop edge prior to the authenticator being deleted the UI will not automatically be refreshed like it would for something like a change to a service. |
|
Thanks. It looks like the api-session remains valid after the authenticator was deleted. I'll let it sit until the api-session expires to see what happens, but there was no message logged at ZDE indicating any change. I'll check with @andrewpmartinez to see what behavior is expected (e.g., should the existing session have been deleted). |
|
Ok, let me know what ends up happening with the session. From my testing I was seeing that once the authenticator is deleted I can no longer use my services but I hadn't looked at the api session in ziti. |
|
If the authenticator is being effectively revoked (by being replaced) it makes sense that all API sessions tied to that authenticator be removed. I do understand that this makes it interesting for clients because they will randomly lose their API session. However, we need to handle this as admins can randomly delete API sessions as well. |
|
Once the api-session expired the status was correctly updated in ZDE. I'm going to move this issue to the edge repo |
- an authenticator removed or re-enrolled would continue to allow old API Session to operate - deleted or re-enrolled authenticators now remove associatd API Sessions
- an authenticator removed or re-enrolled would continue to allow old API Session to operate - deleted or re-enrolled authenticators now remove associatd API Sessions
for #1213 delete api session on authenticator delete/re-enroll
|
This functionality refers to legacy authentication (i.e. non-OIDC). OpenZiti is moving to a new authentication model where this issue is handled differently (through revocations) that can be issued. Closing due to end-of-life support for legacy authentication. |
When an enrolled identity's authenticator is deleted (via a re-enroll) the desktop client does not refresh the identity's online status or service list.
Steps to reproduce:
create an identity and give it access to one or more service
enroll the identity via the desktop client
verify the service details show up in the desktop client
re-enroll the authenticator to delete the current authenticator and generate a new enrollment
At this point, the desktop client will continue to show the services for the identity and continue to show it as enrolled until the user either manually restarts the desktop client or something else triggers a refresh.
The text was updated successfully, but these errors were encountered: