Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Timeout Configuration #3873

Closed
KevinThompsonYCRX opened this issue Aug 26, 2020 · 12 comments · Fixed by #4494
Closed

SSO Timeout Configuration #3873

KevinThompsonYCRX opened this issue Aug 26, 2020 · 12 comments · Fixed by #4494
Labels
area/sso-rbac type/feature Feature request

Comments

@KevinThompsonYCRX
Copy link

In the new SSO implementation, it looks like the ID token never has the 'Expiry' field set, and defaults to having a 1 hour timeout. It would be more convenient if this was extended, and most convenient if it could be configured in the workflow controller configmap.

The cookie containing this token has a 10 hour timeout. It seems like it would make the most sense for this timeout to match the token Expiry.
https://github.com/argoproj/argo/blob/d07a0e74888254fe78fa653e532c5f1963056598/server/auth/sso/sso.go#L185-L192

This is where I believe the token Expiry value would need to be set:
https://github.com/argoproj/argo/blob/d07a0e74888254fe78fa653e532c5f1963056598/server/auth/sso/sso.go#L153-L165

Related documentation:
https://godoc.org/golang.org/x/oauth2#Token
@alexec
Copy link
Contributor

alexec commented Aug 26, 2020

The 10 hour limit is intended to be a working day. Would you like to raise a PR?

@KevinThompsonYCRX
Copy link
Author

I haven't worked with golang before but I'll give it a try

@boniek83
Copy link

boniek83 commented Sep 8, 2020

I'm under impression that the default is a lot lower than 1h. It is like 1 minute at most. It is infuriating to work like this :D

@KevinThompsonYCRX
Copy link
Author

After doing some more research, it looks like the id_token timeout is determined by the oauth2 provider. For Azure, this is fixed at 3599 seconds (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow).

It seems like implementing a token_refresh is a more appropriate way to address this issue for me. @boniek83 what oauth provider are you using?

@boniek83
Copy link

boniek83 commented Sep 8, 2020
edited by agilgur5

@boniek83 what oauth provider are you using?

On premises gitlab.

@KevinThompsonYCRX
Copy link
Author

I wrote up some rough changes to try and refreshing tokens, but it's not possible since oidc won't refresh id_tokens. This newer PR switches to using access tokens, which can be refreshed to extend SSO logins further: #4035. If refreshes get added into that PR, then this issue can be closed.

@alexec alexec linked a pull request Sep 18, 2020 that will close this issue
fix(server): Switch to using access token for SSO. Fixes #4027 #4035
Closed
6 tasks
@alexec
Copy link
Contributor

alexec commented Sep 18, 2020

The timeout is currently the expiry of the id_token. This varies by provider, but is typically around 5m. This is not what anyone wants. We need to do more work to make this easier.

alexec added a commit to alexec/argo-workflows that referenced this issue Sep 22, 2020
@alexec
feat(server): Argo Server is issuer for SSO. Fixes argoproj#4027 and a…
4a71917 
…rgoproj#3873
@alexec alexec mentioned this issue Sep 22, 2020
Merged
7 tasks
@alexec alexec added the type/feature Feature request label Sep 30, 2020
@alexec
Copy link
Contributor

alexec commented Sep 30, 2020

Once #4095 is merged, it'll be easy to add timeout. Would anyone like to submit a PR?

@alexec alexec added good first issue Good for newcomers help wanted labels Sep 30, 2020
alexec added a commit that referenced this issue Oct 2, 2020
@alexec
feat(server): Make Argo Server issue own JWE for SSO. Fixes #4027 & #…
f7e85f0 
…3873 (#4095)
@arghya88
Copy link
Contributor

arghya88 commented Nov 3, 2020

@alexec so setting a timeout using an environment variable would be a reasonable approach?

@alexec
Copy link
Contributor

alexec commented Nov 3, 2020

I think this might be a commonly used feature. Maybe sso.timeout config item?

@arghya88
Copy link
Contributor

arghya88 commented Nov 3, 2020
edited by agilgur5

I think this might be a commonly used feature. Maybe sso.timeout config item?

You mean set it in the cm https://github.com/argoproj/argo/blob/c71116ddedafde0f2931fbd489b9b17b8bd81e65/docs/workflow-controller-configmap.yaml and use that in code. Is there any other sso config that we can set now via cm? Nevertheless I can give this a try

@alexec
Copy link
Contributor

alexec commented Nov 3, 2020

yes - all SSO config is in the cm

@arghya88 arghya88 mentioned this issue Nov 9, 2020
Merged
1 task
alexcapras pushed a commit to alexcapras/argo that referenced this issue Nov 12, 2020
@alexec @alexcapras
feat(server): Make Argo Server issue own JWE for SSO. Fixes argoproj#…
845fadd 
…4027 & argoproj#3873 (argoproj#4095)

Signed-off-by: Alex Capras <alexcapras@gmail.com>
@alexec alexec mentioned this issue Feb 9, 2021
Closed
@agilgur5 agilgur5 added area/sso-rbac and removed good first issue Good for newcomers labels May 14, 2024
@agilgur5 agilgur5 mentioned this issue May 14, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/sso-rbac type/feature Feature request
Projects
None yet
Milestone
No milestone
5 participants
@alexec @agilgur5 @boniek83 @arghya88 @KevinThompsonYCRX