Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23934

Access tokens for transient user not handled properly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.5.7
    • Fix Version/s: None
    • Component/s: Access Tokens
    • Labels:

      Description

      When creating an a time limited access token using transient user's long lived access token we've observed following issues:

      • username for token becomes token:<transient username>
      • access token with time limit is eligible to be used for new access tokens

      We've also noted following issue related to transient users:

      • permission of transient user is not visible in API / UI

      The first issue, is more or less a cosmetic issue. Obviously it would be nice, if nested tokens had same username as original token and level of nesting was shown in additional field.

      The second issue worries me. If someone is able to capture access token, it can be refreshed indefinitely. Imho to prevent refreshing, transient users should only be allowed to either create single level of access tokens or nested access tokens should be set to expire at the same time with their parent.

      Third issue is something that we can probably manage with manual bookkeeping or by using playbooks for creating technical accounts. Obviously, I'd prefer, that scope was stored in Artifactory database and that it was visible in Artifactory API. 

      I know I shouldn't have bundled all these issues in a single bug report. But without issue templates, writing issue descriptions is just annoying.

      We're enterprise customer, if it matters in prioritizing the issue.

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              skorhone Sami Korhonen (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: