[OPENAM-15245] REST API to provide the ability for the user to query all their own sessions Created: 18/Jul/19  Updated: 13/Aug/19

Status: Open
Project: OpenAM
Component/s: session
Affects Version/s: 6.0.0, 6.5.0, 6.5.1, 6.5.2
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: C-Weng C Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: CustomerRFE
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Support Ticket IDs:

 Description   

Problem
Currently it is possible as an administrator to query all the session for a particular user (in a realm) However this is not possible that a session itself try to query sessions that is owned (or created by the same user) and this will give Forbidden.

Currently

curl 'http://openam.example.com:8080/openam/json/sessions?_queryFilter=username%20eq%20%22demo%22%20and%20realm%20eq%20%22%2F%22' -H 'Accept-API-Version: protocol=1.0,resource=3.1' 

returns Forbidden when the session is itself used to query it's own username

Purpose of this

  • There is a need to relax this so that same "user" (hopefully they are the same) can query all their own sessions and so that some user application (dashboard) can be used to manage their own sessions (including invalidating them)
  • Generally this may be considered where requester for this have intention to have a custom user dashboard/service that may manage their profile, devices, and also information on sessions.

Generated at Mon Nov 23 16:08:52 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.