Skip to content

htdestroytoken doesn't always force getting a new bearer token #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DrDaveD opened this issue Aug 17, 2023 · 2 comments
Open

htdestroytoken doesn't always force getting a new bearer token #84

DrDaveD opened this issue Aug 17, 2023 · 2 comments

Comments

@DrDaveD
Copy link
Collaborator

DrDaveD commented Aug 17, 2023

It would be nice if htdestroytoken would force getting a new bearer token, but because vault caches the bearer token in a different plugin than the ones used to create vault tokens, that is not always the case. Since htgettoken doesn't know what the default minsecs is, it doesn't have an easy way to force getting a new bearer token when a new vault token is retrieved (unless it was via oidc authentication which also updates the refresh token). It may require a change to the protocol with the puppetlabs vault plugin.
@DrDaveD
Copy link
Collaborator Author

DrDaveD commented Mar 1, 2024

Probably the thing to do is to delete the refresh token. That will probably require adding the "delete" capability to the policies in htvault-config.

@DrDaveD
Copy link
Collaborator Author

DrDaveD commented Mar 1, 2024
edited
Loading

Adding the "delete" capability is required to remove the refresh token. Note that does more than destroying the bearer token, however; it requires going through oidc authentication again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DrDaveD