Make expiry of auth requests configurable

This commit is contained in:
Maximilian Gaß 2018-12-13 11:40:58 +01:00
parent aafbaa36c5
commit 468c74d1d2
5 changed files with 22 additions and 6 deletions

View File

@ -233,6 +233,9 @@ type Expiry struct {
// IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"`
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
AuthRequests string `json:"authRequests"`
}
// Logger holds configuration required to customize logging for dex.

View File

@ -64,6 +64,7 @@ staticPasswords:
expiry:
signingKeys: "6h"
idTokens: "24h"
authRequests: "24h"
logger:
level: "debug"
@ -131,8 +132,9 @@ logger:
},
},
Expiry: Expiry{
SigningKeys: "6h",
IDTokens: "24h",
SigningKeys: "6h",
IDTokens: "24h",
AuthRequests: "24h",
},
Logger: Logger{
Level: "debug",

View File

@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
logger.Infof("config id tokens valid for: %v", idTokens)
serverConfig.IDTokensValidFor = idTokens
}
if c.Expiry.AuthRequests != "" {
authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
if err != nil {
return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
}
logger.Infof("config auth requests valid for: %v", authRequests)
serverConfig.AuthRequestsValidFor = authRequests
}
serv, err := server.NewServer(context.Background(), serverConfig)
if err != nil {

View File

@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
// screen too long.
//
// See: https://github.com/dexidp/dex/issues/646
authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value.
authReq.Expiry = s.now().Add(s.authRequestsValidFor)
if err := s.storage.CreateAuthRequest(authReq); err != nil {
s.logger.Errorf("Failed to create authorization request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")

View File

@ -68,8 +68,9 @@ type Config struct {
// Logging in implies approval.
SkipApprovalScreen bool
RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours
RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours
AuthRequestsValidFor time.Duration // Defaults to 24 hours
GCFrequency time.Duration // Defaults to 5 minutes
@ -137,7 +138,8 @@ type Server struct {
now func() time.Time
idTokensValidFor time.Duration
idTokensValidFor time.Duration
authRequestsValidFor time.Duration
logger logrus.FieldLogger
}
@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supported,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
skipApproval: c.SkipApprovalScreen,
now: now,
templates: tmpls,