-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO Timeout Configuration #3873
Comments
The 10 hour limit is intended to be a working day. Would you like to raise a PR? |
I haven't worked with golang before but I'll give it a try |
I'm under impression that the default is a lot lower than 1h. It is like 1 minute at most. It is infuriating to work like this :D |
After doing some more research, it looks like the id_token timeout is determined by the oauth2 provider. For Azure, this is fixed at 3599 seconds (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). It seems like implementing a token_refresh is a more appropriate way to address this issue for me. @boniek83 what oauth provider are you using? |
On premises gitlab. |
I wrote up some rough changes to try and refreshing tokens, but it's not possible since oidc won't refresh id_tokens. This newer PR switches to using access tokens, which can be refreshed to extend SSO logins further: #4035. If refreshes get added into that PR, then this issue can be closed. |
The timeout is currently the expiry of the |
Once #4095 is merged, it'll be easy to add timeout. Would anyone like to submit a PR? |
@alexec so setting a timeout using an environment variable would be a reasonable approach? |
I think this might be a commonly used feature. Maybe |
You mean set it in the cm https://github.com/argoproj/argo/blob/c71116ddedafde0f2931fbd489b9b17b8bd81e65/docs/workflow-controller-configmap.yaml and use that in code. Is there any other sso config that we can set now via cm? Nevertheless I can give this a try |
yes - all SSO config is in the cm |
…4027 & argoproj#3873 (argoproj#4095) Signed-off-by: Alex Capras <alexcapras@gmail.com>
In the new SSO implementation, it looks like the ID token never has the 'Expiry' field set, and defaults to having a 1 hour timeout. It would be more convenient if this was extended, and most convenient if it could be configured in the workflow controller configmap.
The cookie containing this token has a 10 hour timeout. It seems like it would make the most sense for this timeout to match the token Expiry.
https://github.com/argoproj/argo/blob/d07a0e74888254fe78fa653e532c5f1963056598/server/auth/sso/sso.go#L185-L192
This is where I believe the token Expiry value would need to be set:
https://github.com/argoproj/argo/blob/d07a0e74888254fe78fa653e532c5f1963056598/server/auth/sso/sso.go#L153-L165
Related documentation:
https://godoc.org/golang.org/x/oauth2#Token
The text was updated successfully, but these errors were encountered: