Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidate token when az logout #137

Closed
antoineozenne opened this issue Oct 11, 2022 · 2 comments
Closed

Invalidate token when az logout #137

antoineozenne opened this issue Oct 11, 2022 · 2 comments

Comments

@antoineozenne
Copy link

The access token in ~/.kube/cache/kubelogin is valid for 1 hour and is not invalidated when we logout with the command az logout. My kubelogin command is configured with --login azurecli. So, if :

  • I login as a user A: az login -u A
  • I get an access token which is cached in ~/.kube/cache/kubelogin.
  • I logout: az logout
  • I login as a user B: az login -u B
  • I have the access token of the user A valid for 1 hour, so I have the privileges (because of the groups present in the token) of the user A.

I think this is a critical security issue. Is it possible to invalidate the access token when logout ? Or, at least, remove the access token in cache, but this is not sufficient I think.
@weinong
Copy link
Contributor

weinong commented Oct 11, 2022

i think we can disable token cache in azurecli mode.

@weinong weinong mentioned this issue Oct 19, 2022
Merged
weinong added a commit that referenced this issue Oct 19, 2022
@weinong
remove token cache for azurecli login (#142)
7252d37 
remove token cache for azurecli login since az already does that. It ensures kubelogin would not leak the token after az logout

addresses #137
@weinong
Copy link
Contributor

weinong commented Nov 16, 2022
edited
Loading

fixed in v0.0.21

@weinong weinong closed this as completed Nov 16, 2022
@weinong weinong mentioned this issue Nov 23, 2022
Open
@enj enj mentioned this issue Nov 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weinong @antoineozenne