0010126: Behaviour of expired UserTokens not consistent - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0010126	10000-004: Services	Spec	public	2025-01-30 14:04	2025-05-06 16:08

Reporter	Matthias Isele	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.05.04
Fixed in Version	1.05.06 RC1

Summary	0010126: Behaviour of expired UserTokens not consistent
Description	Description: Part 4 - 7.41.6 IssuedIdentityToken states: "IssuedIdentityTokens have an expiration time, and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption." Part 6 - 6.5.3.2 Access Tokens states: "If the Server allows for anonymous users, the Server may allow the Session to stay open but treat it as an anonymous user. If the Server does not allow anonymous users, it should close the Session immediately." Part 4 - 7.41.5 X509IdentityTokens does not state anything about exipred tokens. My expectation is that the behaviour for an expired X509IdentityToken and an expired IssuedIdentityToken should be the same. Proposal: In Part 4 - 7.41.6 IssuedIdentityToken add: "If the Server does not allow anonymous users, it should close the Session immediately." In Part 4 - 7.41.5 X509IdentityTokens add the text as in section IssuedIdentityToken: X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session immediately. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption.
Tags	No tags attached.

Commit Version	1.05.06 RC1
Fix Due Date	2025-04-30

Jim Luth 2025-02-25 17:39 administrator ~0022409	try to apply the proposed changes;

Matthias Damm 2025-03-10 16:44 developer ~0022493	Added to 7.41.6 IssuedIdentityToken: If the Server does not allow anonymous users, it should close the Session. Added to 7.41.5 X509IdentityTokens: X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption.

Jim Luth 2025-05-06 16:07 administrator ~0022707	Agreed to changes edited in web meeting.

Date Modified	Username	Field	Change
2025-01-30 14:04	Matthias Isele	New Issue
2025-02-25 17:38	Jim Luth	Assigned To	=> Matthias Damm
2025-02-25 17:38	Jim Luth	Status	new => assigned
2025-02-25 17:39	Jim Luth	Note Added: 0022409
2025-02-25 17:39	Jim Luth	Commit Version	=> 1.05.06 RC1
2025-02-25 17:39	Jim Luth	Fix Due Date	=> 2025-04-30
2025-03-10 16:44	Matthias Damm	Status	assigned => resolved
2025-03-10 16:44	Matthias Damm	Resolution	open => fixed
2025-03-10 16:44	Matthias Damm	Note Added: 0022493
2025-05-06 16:07	Jim Luth	Status	resolved => closed
2025-05-06 16:07	Jim Luth	Fixed in Version	=> 1.05.05 RC1
2025-05-06 16:07	Jim Luth	Note Added: 0022707
2025-05-06 16:08	Jim Luth	Fixed in Version	1.05.05 RC1 => 1.05.06 RC1