Skip to content

Silo admin endpoints for user logout + listing tokens and sessions #8479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Silo admin endpoints for user logout + listing tokens and sessions #8479

wants to merge 14 commits into from
+981 −9

Conversation

david-crespo
Copy link
Contributor

@david-crespo david-crespo commented Jun 30, 2025
edited
Loading

The idea here is that to disable a user's access to the system, admins first disable that user's ability to log in on the IdP side and then hit this endpoint to remove all of their existing credentials on our end. The centerpiece is the logout endpoint, but I added the endpoints for listing sessions and tokens because someone pointed out you really want to see those come back empty after logout. They're also kind of useful anyway. Then I added user_view just because it wouldn't make sense to have token and session list endpoints hanging off /v1/users/{user_id} without having that defined.

  • Add /v1/users/{user_id}/logout that deletes all of the user's tokens and sessions
  • Add new authz resource SiloUserAuthnList letting us authorize that action for silo admins specifically (can't use silo modify because fleet collaborator and admin get that on all silos)
  • Update IAM policy test
  • Test that logout deletes tokens and the right perms are enforced
  • Test that logout deletes sessions and the right perms are enforced
  • Add user_view and user_token_list and user_session_list endpoints for symmetry and to give the admin a warm fuzzy feeling when they see that the tokens and sessions are in fact gone (also makes testing a little cleaner)
  • Fix session list including expired sessions (and test it)
  • Think about whether we need to do something about dueling admins issues, i.e., what if the person you're trying to disable are themselves a silo admin and they log everyone else out of the silo. The only solution I can think of off the top of my head is an operator-level version of this endpoint that can be used by a user outside of the silo in question.

@david-crespo david-crespo changed the title Silo admin endpoint for user logout Silo admin endpoint for user logout + listing tokens and sessions Jul 2, 2025
@david-crespo david-crespo changed the title Silo admin endpoint for user logout + listing tokens and sessions Silo admin endpoints for user logout + listing tokens and sessions Jul 2, 2025
david-crespo
david-crespo commented Jul 2, 2025
View reviewed changes
nexus/auth/src/authz/omicron.polar
"modify" if "admin" on "parent_silo";

# A silo admin can list a user's tokens and sessions.
"list_children" if "admin" on "parent_silo";
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little funny because I'm using list_children to determine whether you can list sessions and tokens (only self and silo admin can) but then I'm using modify on the list itself to determine whether you can do the logout delete-all operation. It works fine, but it goes slightly against the grain of how I know it's supposed to work. We just don't have many delete all type things.

@david-crespo david-crespo marked this pull request as ready for review July 2, 2025 23:11
@david-crespo david-crespo mentioned this pull request Jul 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@david-crespo