You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.
Currently all tokens generated have a single configuration option for Expiration. If this is set to a high interval, it is possible to re-use a URL based token redirect and re-initiate a logged-out session.
Instead, redirected tokens should have a short expiration time. Refreshed tokens usually live in a client session, header or cookie and can have a longer interval. Therefore consumers will need to refresh their token upon the first opportunity after redirect.
The following things need a bit of refactoring:
The authReply method should accept a time.Time instead of looking to the server config.
AuthenticatePwUser and RefreshJWT gRPC methods should accept a time stamp, so the consumer decides the requirements.
Adjust the admin login form to use short timeouts.
The text was updated successfully, but these errors were encountered:
Currently all tokens generated have a single configuration option for Expiration. If this is set to a high interval, it is possible to re-use a URL based token redirect and re-initiate a logged-out session.
Instead, redirected tokens should have a short expiration time. Refreshed tokens usually live in a client session, header or cookie and can have a longer interval. Therefore consumers will need to refresh their token upon the first opportunity after redirect.
The following things need a bit of refactoring:
authReply
method should accept atime.Time
instead of looking to the server config.AuthenticatePwUser
andRefreshJWT
gRPC methods should accept a time stamp, so the consumer decides the requirements.The text was updated successfully, but these errors were encountered: