cameleer/cameleer-saas
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

Cross-app session management (parked) #38

New Issue
Open
opened 2026-04-07 12:32:07 +02:00 by claude · 0 comments
claude commented 2026-04-07 12:32:07 +02:00
Owner
Copy Link

Logging out of the SaaS platform invalidates the Logto session (redirects to Logto end-session endpoint), but does not invalidate the cameleer3-server session. The server uses its own JWT issued after the OIDC code exchange.

Observed behavior

  1. Login as admin on platform → click "View Dashboard" → server shows "Platform Admin"
  2. Logout from platform → redirected to sign-in page
  3. Server tab still shows "Platform Admin" — server JWT is still valid

Root cause

Two independent JWT issuers: Logto (platform) and cameleer3-server (internal). The server's JWT has its own expiry and is not tied to the Logto session.

Possible approaches

  • Server-side: check Logto session validity on each request (adds latency)
  • Frontend: postMessage/BroadcastChannel to notify server-ui tab of logout
  • Accept as architectural constraint and document it

Status: PARKED — not blocking for current milestone.

Logging out of the SaaS platform invalidates the Logto session (redirects to Logto end-session endpoint), but does **not** invalidate the cameleer3-server session. The server uses its own JWT issued after the OIDC code exchange. ## Observed behavior 1. Login as admin on platform → click "View Dashboard" → server shows "Platform Admin" 2. Logout from platform → redirected to sign-in page 3. Server tab still shows "Platform Admin" — server JWT is still valid ## Root cause Two independent JWT issuers: Logto (platform) and cameleer3-server (internal). The server's JWT has its own expiry and is not tied to the Logto session. ## Possible approaches - Server-side: check Logto session validity on each request (adds latency) - Frontend: postMessage/BroadcastChannel to notify server-ui tab of logout - Accept as architectural constraint and document it **Status: PARKED** — not blocking for current milestone.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
auth
Identity, authentication, OIDC, RBAC
 billing
Billing, metering, and Stripe integration
 day-1
Required for initial launch
 epic
Top-level epic grouping related issues
 future
Planned for future release
 infra
Infrastructure, GitOps, K8s orchestration
 licensing
License module and feature gating
 networking
Network isolation, VPN, tenant separation
 observability
Observability integration (cameleer3-server)
 ops
Platform operations and self-monitoring
 phase-1
Phase 1: Foundation + Auth
 phase-2
Phase 2: Tenants + Licensing
 phase-3
Phase 3: Runtime Orchestration + Environments
 phase-4
Phase 4: Observability Pipeline + Inbound Routing
 phase-5
Phase 5: K8s Operational Layer
 phase-6
Phase 6: Billing + Metering
 phase-7
Phase 7: Billing + Metering
 phase-8
Phase 8: Security Hardening + Self-Monitoring
 phase-9
Phase 9: Frontend (React Shell)
 platform
SaaS management platform
 runtime
Camel application runtime
 secrets
Secrets management and vault integration
 security
Security, compliance, SOC 2, audit
 task
Implementation task within a phase
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-saas#38
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?