public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IDToken: cache invalidation (#100592)

Browse Source 
* Make org role part of id token cache key. This way we will always sign a new token when it changes

* Remove calls to remove id token
This commit is contained in:
Karl Persson
2025-02-13 14:10:58 +01:00
committed by GitHub
parent a69fac6e16
commit be60ef0500
6 changed files with 60 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/org_users.go
-6
View File
@@ -7,11 +7,9 @@ import (
"net/http"
"strconv"
claims "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/authn"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/login"
"github.com/grafana/grafana/pkg/services/org"
@@ -434,10 +432,6 @@ func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.Up
}
}
if err := hs.idService.RemoveIDToken(c.Req.Context(), &authn.Identity{ID: strconv.FormatInt(cmd.UserID, 10), Type: claims.TypeUser, OrgID: cmd.OrgID}); err != nil {
return response.Error(http.StatusInternalServerError, "Failed to invalidate the ID token cache", err)
}
if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil {
if errors.Is(err, org.ErrLastOrgAdmin) {
return response.Error(http.StatusBadRequest, "Cannot change role so that there is no organization admin left", nil)