Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to postpone the access_token expiration with every call? #335

Open
carlo161 opened this issue Apr 17, 2024 · 8 comments
Open

Is it possible to postpone the access_token expiration with every call? #335

carlo161 opened this issue Apr 17, 2024 · 8 comments
Assignees
@greenpau
Labels
need triage question Further information is requested

Comments

@carlo161
Copy link

When I successfully login and gets forwarded to my webpage I obtain the following:

2024-04-17_12h16_50

I would like to implement some sort of a timeout: if you do not interact with the page in 10 minutes, at the next call you will have to login again.
Right now I am using:

    authentication portal my_portal {
      crypto default token lifetime 600
      cookie lifetime 7200

But after 20 minutes I have to login again.
With every call the expiration of the session cookie gets extended but the access_token one no.
Is it possible to do that?
@carlo161 carlo161 added need triage question Further information is requested labels Apr 17, 2024
@jspadaro
Copy link

jspadaro commented Apr 23, 2024
edited

The issue appears to me that that token is a jwt that is hardcoded to expire in 900 seconds (15 minutes)

It's pretty annoying with SSO and really annoying if you do local logins or are streaming anything for any duration.

I'm actually not clear why you can even set a cookie lifetime if this limitation is still in place.

I may try to patch something myself for my own use, something like issue a new JWT if the current one expired within the last 5 or 10 minutes and is otherwise valid , but I would really love to see something similar as an official change.

@greenpau
Copy link
Owner

You have two different lifetimes: one of the token and one of the cookie holding that token. Set them both to higher number of seconds to extend the lifetime. I would keep the cookie lifetime a bit longer.

@greenpau
Copy link
Owner

crypto default token lifetime 7200
cookie lifetime 14440

this would be 2 hours expiration

@carlo161
Copy link
Author

crypto default token lifetime 7200 cookie lifetime 14440

this would be 2 hours expiration

I am not trying to enlarge the lifetime, but to reset it with every interaction. If the user keeps on working with the page the lifetime is potentially eternal, but as soon as he stops, after for example 10 minutes the token expires.

@greenpau
Copy link
Owner

@carlo161 , are you asking for the ability to refresh the token just before it expires?

@greenpau
Copy link
Owner

As long as the user is active?

@jspadaro
Copy link

Ah, I was mistaken. Either way, my overarching confusion was "Why have a longer cookie lifetime if the JWT expiring kills the session?"

Anyway, back to this issue - yes, @greenpau , I think the ask is to make the token auto-refresh / have the expiration extend to now+increment on every request

@carlo161
Copy link
Author

Yes, right. I would like to refresh the token with every call, as long as the user is active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
need triage question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jspadaro @greenpau @carlo161