Make expiry of auth requests configurable
This commit is contained in:
parent
aafbaa36c5
commit
468c74d1d2
5 changed files with 22 additions and 6 deletions
|
@ -233,6 +233,9 @@ type Expiry struct {
|
||||||
|
|
||||||
// IdTokens defines the duration of time for which the IdTokens will be valid.
|
// IdTokens defines the duration of time for which the IdTokens will be valid.
|
||||||
IDTokens string `json:"idTokens"`
|
IDTokens string `json:"idTokens"`
|
||||||
|
|
||||||
|
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
|
||||||
|
AuthRequests string `json:"authRequests"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Logger holds configuration required to customize logging for dex.
|
// Logger holds configuration required to customize logging for dex.
|
||||||
|
|
|
@ -64,6 +64,7 @@ staticPasswords:
|
||||||
expiry:
|
expiry:
|
||||||
signingKeys: "6h"
|
signingKeys: "6h"
|
||||||
idTokens: "24h"
|
idTokens: "24h"
|
||||||
|
authRequests: "24h"
|
||||||
|
|
||||||
logger:
|
logger:
|
||||||
level: "debug"
|
level: "debug"
|
||||||
|
@ -131,8 +132,9 @@ logger:
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Expiry: Expiry{
|
Expiry: Expiry{
|
||||||
SigningKeys: "6h",
|
SigningKeys: "6h",
|
||||||
IDTokens: "24h",
|
IDTokens: "24h",
|
||||||
|
AuthRequests: "24h",
|
||||||
},
|
},
|
||||||
Logger: Logger{
|
Logger: Logger{
|
||||||
Level: "debug",
|
Level: "debug",
|
||||||
|
|
|
@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
|
||||||
logger.Infof("config id tokens valid for: %v", idTokens)
|
logger.Infof("config id tokens valid for: %v", idTokens)
|
||||||
serverConfig.IDTokensValidFor = idTokens
|
serverConfig.IDTokensValidFor = idTokens
|
||||||
}
|
}
|
||||||
|
if c.Expiry.AuthRequests != "" {
|
||||||
|
authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
|
||||||
|
}
|
||||||
|
logger.Infof("config auth requests valid for: %v", authRequests)
|
||||||
|
serverConfig.AuthRequestsValidFor = authRequests
|
||||||
|
}
|
||||||
|
|
||||||
serv, err := server.NewServer(context.Background(), serverConfig)
|
serv, err := server.NewServer(context.Background(), serverConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
|
||||||
// screen too long.
|
// screen too long.
|
||||||
//
|
//
|
||||||
// See: https://github.com/dexidp/dex/issues/646
|
// See: https://github.com/dexidp/dex/issues/646
|
||||||
authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value.
|
authReq.Expiry = s.now().Add(s.authRequestsValidFor)
|
||||||
if err := s.storage.CreateAuthRequest(authReq); err != nil {
|
if err := s.storage.CreateAuthRequest(authReq); err != nil {
|
||||||
s.logger.Errorf("Failed to create authorization request: %v", err)
|
s.logger.Errorf("Failed to create authorization request: %v", err)
|
||||||
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")
|
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")
|
||||||
|
|
|
@ -68,8 +68,9 @@ type Config struct {
|
||||||
// Logging in implies approval.
|
// Logging in implies approval.
|
||||||
SkipApprovalScreen bool
|
SkipApprovalScreen bool
|
||||||
|
|
||||||
RotateKeysAfter time.Duration // Defaults to 6 hours.
|
RotateKeysAfter time.Duration // Defaults to 6 hours.
|
||||||
IDTokensValidFor time.Duration // Defaults to 24 hours
|
IDTokensValidFor time.Duration // Defaults to 24 hours
|
||||||
|
AuthRequestsValidFor time.Duration // Defaults to 24 hours
|
||||||
|
|
||||||
GCFrequency time.Duration // Defaults to 5 minutes
|
GCFrequency time.Duration // Defaults to 5 minutes
|
||||||
|
|
||||||
|
@ -137,7 +138,8 @@ type Server struct {
|
||||||
|
|
||||||
now func() time.Time
|
now func() time.Time
|
||||||
|
|
||||||
idTokensValidFor time.Duration
|
idTokensValidFor time.Duration
|
||||||
|
authRequestsValidFor time.Duration
|
||||||
|
|
||||||
logger logrus.FieldLogger
|
logger logrus.FieldLogger
|
||||||
}
|
}
|
||||||
|
@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
||||||
storage: newKeyCacher(c.Storage, now),
|
storage: newKeyCacher(c.Storage, now),
|
||||||
supportedResponseTypes: supported,
|
supportedResponseTypes: supported,
|
||||||
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
|
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
|
||||||
|
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
|
||||||
skipApproval: c.SkipApprovalScreen,
|
skipApproval: c.SkipApprovalScreen,
|
||||||
now: now,
|
now: now,
|
||||||
templates: tmpls,
|
templates: tmpls,
|
||||||
|
|
Reference in a new issue