Don't allow SSO & U1 users to have thousands of tokens or sessions
Bug #1207363 reported by
Michael Foord
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
https:/
SSO account admin interface fails for users with insane amounts of authentication tokens.
U1 makes api calls to list tokens. With insane amounts of tokens this is very expensive.
The incident report linked above recommends:
Don't allow SSO & U1 users to have thousands of OAUTH tokens, or thousands of authentication tokens, or thousands of sessions
Report problematic users and manually investigate, or make the SSO refuse to add more if there are already too many.
We could also expire (delete) tokens that haven't been used for a long time (e.g. 1 month).
| Changed in canonical-identity-provider: | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| assignee: | nobody → Ubuntu One web team (ubuntuone-web) |
| tags: | added: u1-by-dev u1-on-production |
| tags: | added: canonical-webops |
| Changed in canonical-identity-provider: | |
| assignee: | Registry Administrators (registry) → nobody |
To post a comment you must log in.
