Impact
When creating an API token with the api-authorizations plugin for a user that logged in via OIDC, if the user is also declared in the rudder-users.xml configuration file, the API token rights are exactly those declared in the file, regardless of the actual user OIDC authentication and identity.
Patches
Addition of configuration options to disable the feature of API token per user: rudder.auth.userRestToken=disabled, by default the value is still enabled, and the feature is disabled by default for users provided by OIDC : rudder.auth.oidc.userRestToken=disabled
Workarounds
Delete each API token for a user that logged in via OIDC, or disable the plugin for all users :
rudder package disable api-authorizations
Also, removing all the user permissions from the rudder-users.xml file will make the user API token useless.
References
Impact
When creating an API token with the api-authorizations plugin for a user that logged in via OIDC, if the user is also declared in the
rudder-users.xmlconfiguration file, the API token rights are exactly those declared in the file, regardless of the actual user OIDC authentication and identity.Patches
Addition of configuration options to disable the feature of API token per user:
rudder.auth.userRestToken=disabled, by default the value is stillenabled, and the feature is disabled by default for users provided by OIDC :rudder.auth.oidc.userRestToken=disabledWorkarounds
Delete each API token for a user that logged in via OIDC, or disable the plugin for all users :
Also, removing all the user permissions from the
rudder-users.xmlfile will make the user API token useless.References