You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@usergrid.apache.org by "Lynch Lee (JIRA)" <ji...@apache.org> on 2016/11/12 04:48:59 UTC
[jira] [Comment Edited] (USERGRID-1232) /revoketoken endpoint for
admin user token does not require auth
[ https://issues.apache.org/jira/browse/USERGRID-1232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15659004#comment-15659004 ]
Lynch Lee edited comment on USERGRID-1232 at 11/12/16 4:48 AM:
---------------------------------------------------------------
@[~jwest_apigee]
Considering this, if only the system admin can call revoke tokens of org admins/app admins/appusers directly, or the org admin can revoke any token himself, then org admins/app admins/appusers are safe.
Do you think so ...??
was (Author: lynchlee):
@[~jwest_apigee]
Considering this, if only the system admin can call revoke tokens of org/app/app user directly, or the org admin can revoke any token himself .
Do you think so ...??
> /revoketoken endpoint for admin user token does not require auth
> ----------------------------------------------------------------
>
> Key: USERGRID-1232
> URL: https://issues.apache.org/jira/browse/USERGRID-1232
> Project: Usergrid
> Issue Type: Story
> Reporter: Jeffrey
>
> If I get an access token as an org admin user, that token can be revoked by anyone.
> For example, this request revokes all of the org admin access tokens for user amuramoto:
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens
> This also applies to the /revoketoken?token="someToken" endpoint
> An access token should be required to perform any operation on the /management endpoint. So the request would need to be something like...
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens?access_token="some_other_valid_token"
> Alternatively, the request could provide client id and secret.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)