Make expiry of auth requests configurable

This commit is contained in:
Maximilian Gaß 2018-12-13 11:40:58 +01:00
parent aafbaa36c5
commit 468c74d1d2
5 changed files with 22 additions and 6 deletions

View file

@ -233,6 +233,9 @@ type Expiry struct {
// IdTokens defines the duration of time for which the IdTokens will be valid. // IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"` IDTokens string `json:"idTokens"`
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
AuthRequests string `json:"authRequests"`
} }
// Logger holds configuration required to customize logging for dex. // Logger holds configuration required to customize logging for dex.

View file

@ -64,6 +64,7 @@ staticPasswords:
expiry: expiry:
signingKeys: "6h" signingKeys: "6h"
idTokens: "24h" idTokens: "24h"
authRequests: "24h"
logger: logger:
level: "debug" level: "debug"
@ -131,8 +132,9 @@ logger:
}, },
}, },
Expiry: Expiry{ Expiry: Expiry{
SigningKeys: "6h", SigningKeys: "6h",
IDTokens: "24h", IDTokens: "24h",
AuthRequests: "24h",
}, },
Logger: Logger{ Logger: Logger{
Level: "debug", Level: "debug",

View file

@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
logger.Infof("config id tokens valid for: %v", idTokens) logger.Infof("config id tokens valid for: %v", idTokens)
serverConfig.IDTokensValidFor = idTokens serverConfig.IDTokensValidFor = idTokens
} }
if c.Expiry.AuthRequests != "" {
authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
if err != nil {
return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
}
logger.Infof("config auth requests valid for: %v", authRequests)
serverConfig.AuthRequestsValidFor = authRequests
}
serv, err := server.NewServer(context.Background(), serverConfig) serv, err := server.NewServer(context.Background(), serverConfig)
if err != nil { if err != nil {

View file

@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
// screen too long. // screen too long.
// //
// See: https://github.com/dexidp/dex/issues/646 // See: https://github.com/dexidp/dex/issues/646
authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value. authReq.Expiry = s.now().Add(s.authRequestsValidFor)
if err := s.storage.CreateAuthRequest(authReq); err != nil { if err := s.storage.CreateAuthRequest(authReq); err != nil {
s.logger.Errorf("Failed to create authorization request: %v", err) s.logger.Errorf("Failed to create authorization request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.") s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")

View file

@ -68,8 +68,9 @@ type Config struct {
// Logging in implies approval. // Logging in implies approval.
SkipApprovalScreen bool SkipApprovalScreen bool
RotateKeysAfter time.Duration // Defaults to 6 hours. RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours IDTokensValidFor time.Duration // Defaults to 24 hours
AuthRequestsValidFor time.Duration // Defaults to 24 hours
GCFrequency time.Duration // Defaults to 5 minutes GCFrequency time.Duration // Defaults to 5 minutes
@ -137,7 +138,8 @@ type Server struct {
now func() time.Time now func() time.Time
idTokensValidFor time.Duration idTokensValidFor time.Duration
authRequestsValidFor time.Duration
logger logrus.FieldLogger logger logrus.FieldLogger
} }
@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now), storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supported, supportedResponseTypes: supported,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour), idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
skipApproval: c.SkipApprovalScreen, skipApproval: c.SkipApprovalScreen,
now: now, now: now,
templates: tmpls, templates: tmpls,