Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OIDC property for configuring internal ID token lifespan #30213

Merged
merged 1 commit into from
Jan 6, 2023
Merged

Add OIDC property for configuring internal ID token lifespan #30213

merged 1 commit into from
Jan 6, 2023

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Jan 5, 2023
edited
Loading

Fixes #30111.

Simple PR to allow configuring an internal ID token lifespan with the OIDC specific property since relying on the global smallrye jwt property may not always be possible.

Internal ID tokens are generated when GitHub or other OAuth2 only providers do not provide them. Default lifespan is 5 mins which is not a problem if a browser is used directly to authenticate to Quarkus via GitHub because after it expires and the redirect to GitHub is initiated GitHub does not itself challenge since as its own session is still valid (at least it was the case the last time I tried it). But it poses a problem for Ajax/SPA based applications.

Therefore it makes sense to let users configure the internal ID token lifespan at the OIDC level to a large enough value, and then use a local logout technique whenever the token age exceeds the acceptable limits.

Updated the wiremock test to confirm 300 (5 min) is a default lifespan for the internal id tokens, but can be changed if needed (ex to 301 as in the test)

CC @kucharzyk

@sberyozkin sberyozkin requested a review from gastaldi January 5, 2023 17:29
@quarkus-bot quarkus-bot bot added the area/oidc label Jan 5, 2023
@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin sberyozkin force-pushed the oidc_internal_idtoken_lifetime branch from 7bda9b6 to 6d3e89b Compare January 5, 2023 22:38
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 5, 2023

Failing Jobs - Building 6d3e89b

Status Name Step Failures Logs Raw logs
✔️ JVM Tests - JDK 11
✔️ JVM Tests - JDK 17
JVM Tests - JDK 17 MacOS M1 Set up runner ⚠️ Check → Logs Raw logs
✔️ JVM Tests - JDK 18

@sberyozkin sberyozkin merged commit bb83654 into quarkusio:main Jan 6, 2023
@quarkus-bot quarkus-bot bot added this to the 2.16 - main milestone Jan 6, 2023
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Jan 6, 2023
@sberyozkin sberyozkin deleted the oidc_internal_idtoken_lifetime branch January 6, 2023 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

Assignees
No one assigned
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.16.0.CR1
Development

Successfully merging this pull request may close these issues.

Introduce a property to control the internal OIDC ID token lifespan
2 participants
@sberyozkin @gastaldi