sbp commented on issue #1028: URL: https://github.com/apache/tooling-trusted-releases/issues/1028#issuecomment-4225933011
We should expire all other OAuth sessions when a user revokes a PAT or SSH key, or perhaps even a JWT (they can't do this presently, but since we're now checking the JWT we could do this). This was previously tracked as #971 and #972 but we closed them because you cannot escalate access from these credentials to OAuth. The revoked credentials may, however, have come from an attacker OAuth session, so it does make sense to do this. We should just do this unconditionally. We should also expire all OAuth sessions globally when we rotate the JWT key, again unconditionally. That way, there is no way to miss the option and get it wrong. Closed sessions are only a minor inconvenience, but missing an open attacker session is very serious. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
