Merge pull request #1846 from flant/refresh-token-expiration-policy

feat: Add refresh token expiration and rotation settings
2021-04-24 11:03:40 +02:00
parent b1ac799073 beb8911cf7
commit 551229a986
16 changed files with 738 additions and 230 deletions
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -304,6 +304,9 @@ type Expiry struct {

 	// DeviceRequests defines the duration of time for which the DeviceRequests will be valid.
 	DeviceRequests string `json:"deviceRequests"`
+
+	// RefreshTokens defines refresh tokens expiry policy
+	RefreshTokens RefreshToken `json:"refreshTokens"`
 }

 // Logger holds configuration required to customize logging for dex.
@@ -314,3 +317,10 @@ type Logger struct {
 	// Format specifies the format to be used for logging.
 	Format string `json:"format"`
 }
+
+type RefreshToken struct {
+	DisableRotation   bool   `json:"disableRotation"`
+	ReuseInterval     string `json:"reuseInterval"`
+	AbsoluteLifetime  string `json:"absoluteLifetime"`
+	ValidIfNotUsedFor string `json:"validIfNotUsedFor"`
+}
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -304,6 +304,18 @@ func runServe(options serveOptions) error {
 		logger.Infof("config device requests valid for: %v", deviceRequests)
 		serverConfig.DeviceRequestsValidFor = deviceRequests
 	}
+	refreshTokenPolicy, err := server.NewRefreshTokenPolicy(
+		logger,
+		c.Expiry.RefreshTokens.DisableRotation,
+		c.Expiry.RefreshTokens.ValidIfNotUsedFor,
+		c.Expiry.RefreshTokens.AbsoluteLifetime,
+		c.Expiry.RefreshTokens.ReuseInterval,
+	)
+	if err != nil {
+		return fmt.Errorf("invalid refresh token expiration policy config: %v", err)
+	}
+
+	serverConfig.RefreshTokenPolicy = refreshTokenPolicy
 	serv, err := server.NewServer(context.Background(), serverConfig)
 	if err != nil {
 		return fmt.Errorf("failed to initialize server: %v", err)