Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lower default access / id / refresh token lifespans #5077

Merged
merged 3 commits into from
Nov 21, 2022
Merged

lower default access / id / refresh token lifespans #5077

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
45de2c6
lower default access / id / refresh token lifespans
wkloucek Nov 18, 2022
9f0fa2d
add changelog
wkloucek Nov 21, 2022
018cc5b
Update changelog
wkloucek Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/change-lower-idp-token-lifespans.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Fix: Lower IDP token lifespans
wkloucek marked this conversation as resolved.
Show resolved Hide resolved

We've lowered the IDP token lifespans to more reasonable durations.

https://github.com/owncloud/ocis/pull/5077
8 changes: 4 additions & 4 deletions services/idp/pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ type Settings struct {
CookieBackendURI string
CookieNames []string

AccessTokenDurationSeconds uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"Expiration time in seconds for IDP access token."`
IDTokenDurationSeconds uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"Expiration time in seconds for IDP ID tokens."`
RefreshTokenDurationSeconds uint64 `yaml:"refresh_token_duration_seconds" env:"IDP_REFRESH_TOKEN_EXPIRATION" desc:"Expiration time in seconds for refresh tokens."`
DyamicClientSecretDurationSeconds uint64 `yaml:"dynamic_client_secret_duration_seconds" env:"IDP_DYNAMIC_CLIENT_SECRET_DURATION" desc:"Expiration time in seconds for dynamic clients."`
AccessTokenDurationSeconds uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"'Access token lifespan in seconds (time before an access token is expired).'"`
IDTokenDurationSeconds uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"ID token lifespan in seconds (time before an ID token is expired)."`
RefreshTokenDurationSeconds uint64 `yaml:"refresh_token_duration_seconds" env:"IDP_REFRESH_TOKEN_EXPIRATION" desc:"Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session."`
DyamicClientSecretDurationSeconds uint64 `yaml:"dynamic_client_secret_duration_seconds" env:"IDP_DYNAMIC_CLIENT_SECRET_DURATION" desc:"Lifespan in seconds of a dynamically registered OIDC client."`
}
6 changes: 3 additions & 3 deletions services/idp/pkg/config/defaults/defaultconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,9 @@ func DefaultConfig() *config.Config {
ValidationKeysPath: "",
CookieBackendURI: "",
CookieNames: nil,
AccessTokenDurationSeconds: 60 * 60 * 24, // 1 day
IDTokenDurationSeconds: 60 * 60, // 1 hour
RefreshTokenDurationSeconds: 60 * 60 * 24 * 365 * 3, // 1 year
AccessTokenDurationSeconds: 60 * 5, // 5 minutes
IDTokenDurationSeconds: 60 * 5, // 5 minutes
RefreshTokenDurationSeconds: 60 * 60 * 24 * 30, // 30 days
DyamicClientSecretDurationSeconds: 0,
},
Clients: []config.Client{
Expand Down