Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13779

Session API - _action=refresh requires an admin token

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.0.0.4, 6.0.0.5, 6.5.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: rest
    • Labels:
    • Sprint:
      AM Sustaining Sprint 62
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Users can't refresh their sessions. 

      How to reproduce the issue

      Both versions for the refresh session action require an admin token:

      #Refresh User's session (resource=2.1)
      RefreshSession1=`curl -s \
      --request POST \
      --header "Accept-API-Version: resource=2.1, protocol=1.0" \
      --header "Cache-Control: no-cache" \
      --header "Accept: application/json" \
      --header "Content-Type: application/json" \
      --header "iplanetDirectoryPro: $admin" \
      "$protocol://$host:$port/$deployment/json/sessions/?_action=refresh&tokenId=$user"| jq .`
      
      #Refresh User's session (resource=3.1)
      RefreshSession2=`curl -s \
      --request POST \
      --header "Accept-API-Version: resource=3.1, protocol=1.0" \
      --header "Cache-Control: no-cache" \
      --header "Accept: application/json" \
      --header "Content-Type: application/json" \
      --header "iplanetDirectoryPro: $admin" \
      --data "\{\"tokenId\":\"$\{user}\"}" \
      "$protocol://$host:$port/$deployment/json/realms/root/sessions/?_action=refresh"| jq .`
      
      Expected behaviour
      User should be able to refresh their sessions.
      
      Current behaviour
      403 Forbidden error. Only admins can refresh users' sessions.
      

      _action=getSessionInfo doesn't require an admin token. We need clarification of which actions for admin and which for user's

        Attachments

          Activity

            People

            • Assignee:
              markdr Mark de Reeper
              Reporter:
              anastasios.kampas Tasos Kampas
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated: