Merge pull request #1372 from babiel/configurable-auth-request-expiry

Make expiry of auth requests configurable

This is a band-aid against #1292

I did not change the default from 24h, but I think it should be much lower for safety.
This commit is contained in:
Stephan Renatus 2018-12-13 14:55:42 +01:00 committed by GitHub
commit a3cf7b63b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 24 additions and 8 deletions

View File

@ -233,6 +233,9 @@ type Expiry struct {
// IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"`
// AuthRequests defines the duration of time for which the AuthRequests will be valid.
AuthRequests string `json:"authRequests"`
}
// Logger holds configuration required to customize logging for dex.

View File

@ -62,8 +62,9 @@ staticPasswords:
userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
expiry:
signingKeys: "6h"
idTokens: "24h"
signingKeys: "7h"
idTokens: "25h"
authRequests: "25h"
logger:
level: "debug"
@ -131,8 +132,9 @@ logger:
},
},
Expiry: Expiry{
SigningKeys: "6h",
IDTokens: "24h",
SigningKeys: "7h",
IDTokens: "25h",
AuthRequests: "25h",
},
Logger: Logger{
Level: "debug",

View File

@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
logger.Infof("config id tokens valid for: %v", idTokens)
serverConfig.IDTokensValidFor = idTokens
}
if c.Expiry.AuthRequests != "" {
authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
if err != nil {
return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
}
logger.Infof("config auth requests valid for: %v", authRequests)
serverConfig.AuthRequestsValidFor = authRequests
}
serv, err := server.NewServer(context.Background(), serverConfig)
if err != nil {

View File

@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
// screen too long.
//
// See: https://github.com/dexidp/dex/issues/646
authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value.
authReq.Expiry = s.now().Add(s.authRequestsValidFor)
if err := s.storage.CreateAuthRequest(authReq); err != nil {
s.logger.Errorf("Failed to create authorization request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")

View File

@ -70,6 +70,7 @@ type Config struct {
RotateKeysAfter time.Duration // Defaults to 6 hours.
IDTokensValidFor time.Duration // Defaults to 24 hours
AuthRequestsValidFor time.Duration // Defaults to 24 hours
GCFrequency time.Duration // Defaults to 5 minutes
@ -138,6 +139,7 @@ type Server struct {
now func() time.Time
idTokensValidFor time.Duration
authRequestsValidFor time.Duration
logger logrus.FieldLogger
}
@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supported,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
skipApproval: c.SkipApprovalScreen,
now: now,
templates: tmpls,