Hi all
JWT token does not expire when the admin logout of the UI, allowing potential unauthorized access by copying the token. This a security vulnerability that can be mitigated by setting a shorter expiration period for the token. However, the vulnerability still persists despite these measures. How to fix this issue?
The expiration is a concept of JWTs.
Note, that the JWT is deleted, when the admin log outs from the UI.
Please feel free to write your detailed findings and actual attack vector to security@privacyidea.org.
Possible actions out of the box:
-
You can set a shorter lock timeout. See 7.6. WebUI Policies — privacyIDEA 3.10dev1 documentation
-
You could reset the SECRET_KEY, that is used to sign the JWT, thus rendering issues JWTs invalid. See: 2.5. The Config File — privacyIDEA 3.10dev1 documentation
-
You can modify the code here: privacyidea/privacyidea/api/auth.py at 9153e57f8830737661ca2287a1f8d28bf617652d · privacyidea/privacyidea · GitHub