Merge pull request #1372 from babiel/configurable-auth-request-expiry

Make expiry of auth requests configurable

This is a band-aid against #1292

I did not change the default from 24h, but I think it should be much lower for safety.
This commit is contained in:
Stephan Renatus 2018-12-13 14:55:42 +01:00 committed by GitHub
commit a3cf7b63b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 24 additions and 8 deletions

View File

@ -233,6 +233,9 @@ type Expiry struct {
// IdTokens defines the duration of time for which the IdTokens will be valid. // IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"` IDTokens string `json:"idTokens"`
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
AuthRequests string `json:"authRequests"`
} }
// Logger holds configuration required to customize logging for dex. // Logger holds configuration required to customize logging for dex.

View File

@ -62,8 +62,9 @@ staticPasswords:
userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5" userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
expiry: expiry:
signingKeys: "6h" signingKeys: "7h"
idTokens: "24h" idTokens: "25h"
authRequests: "25h"
logger: logger:
level: "debug" level: "debug"
@ -131,8 +132,9 @@ logger:
}, },
}, },
Expiry: Expiry{ Expiry: Expiry{
SigningKeys: "6h", SigningKeys: "7h",
IDTokens: "24h", IDTokens: "25h",
AuthRequests: "25h",
}, },
Logger: Logger{ Logger: Logger{
Level: "debug", Level: "debug",

View File

@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
logger.Infof("config id tokens valid for: %v", idTokens) logger.Infof("config id tokens valid for: %v", idTokens)
serverConfig.IDTokensValidFor = idTokens serverConfig.IDTokensValidFor = idTokens
} }
if c.Expiry.AuthRequests != "" {
authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
if err != nil {
return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
}
logger.Infof("config auth requests valid for: %v", authRequests)
serverConfig.AuthRequestsValidFor = authRequests
}
serv, err := server.NewServer(context.Background(), serverConfig) serv, err := server.NewServer(context.Background(), serverConfig)
if err != nil { if err != nil {

View File

@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
// screen too long. // screen too long.
// //
// See: https://github.com/dexidp/dex/issues/646 // See: https://github.com/dexidp/dex/issues/646
authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value. authReq.Expiry = s.now().Add(s.authRequestsValidFor)
if err := s.storage.CreateAuthRequest(authReq); err != nil { if err := s.storage.CreateAuthRequest(authReq); err != nil {
s.logger.Errorf("Failed to create authorization request: %v", err) s.logger.Errorf("Failed to create authorization request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.") s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")

View File

@ -70,6 +70,7 @@ type Config struct {
RotateKeysAfter time.Duration // Defaults to 6 hours. RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours IDTokensValidFor time.Duration // Defaults to 24 hours
AuthRequestsValidFor time.Duration // Defaults to 24 hours
GCFrequency time.Duration // Defaults to 5 minutes GCFrequency time.Duration // Defaults to 5 minutes
@ -138,6 +139,7 @@ type Server struct {
now func() time.Time now func() time.Time
idTokensValidFor time.Duration idTokensValidFor time.Duration
authRequestsValidFor time.Duration
logger logrus.FieldLogger logger logrus.FieldLogger
} }
@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now), storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supported, supportedResponseTypes: supported,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour), idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
skipApproval: c.SkipApprovalScreen, skipApproval: c.SkipApprovalScreen,
now: now, now: now,
templates: tmpls, templates: tmpls,