Per-client access token expiration #14784
Conversation
|
[test] |
| @@ -84,6 +84,13 @@ func (w *clientWrapper) GetUserData() interface{} { | |||
| return w.client | |||
| } | |||
|
|
|||
| func (w *clientWrapper) GetExpiration(defaultExpiration int32) int32 { | |||
| if w.client.AccessTokenMaxAgeSeconds != nil { | |||
There was a problem hiding this comment.
Should there be an upper bound beyond which users can't specify? Under admin control? Or can we convincingly argue that only admins should be able to edit OAuthClients?
There was a problem hiding this comment.
they are admin-controlled today, especially since grant method can be set to auto accept per-client
|
I don't ha e any objections to this. |
|
@openshift/security |
|
So I know we want most of the OAuth objects to be user managible at some point. Not sure if I would want a user to able to ever change expiration though. |
pkg/oauth/api/types.go
Outdated
|
|
||
| // AccessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client. | ||
| // 0 means no expiration. | ||
| AccessTokenMaxAgeSeconds *int32 |
There was a problem hiding this comment.
I assume max int32 in seconds fits in max int64 in nanoseconds (time.Duration).
| @@ -23,6 +24,10 @@ func NewAuthorizeAuthenticator(request authenticator.Request, handler Authentica | |||
| return &AuthorizeAuthenticator{request, handler, errorHandler} | |||
| } | |||
|
|
|||
| type ClientExpiration interface { | |||
| GetExpiration(int32) int32 | |||
There was a problem hiding this comment.
Is there any way to turn this into GetExpiration() int32? Taking in the default seems meh.
openshift-bot
added
the
needs-rebase
|
Trello card is still in backlog so moving this to 3.7. @pweil- I assume that is fine. |
|
Evaluated for origin test up to 6f1b7b4 |
openshift-bot
removed
the
needs-rebase
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/3098/) (Base Commit: a108425) (PR Branch Commit: 6f1b7b4) |
openshift-merge-robot
added
needs-rebase
openshift-merge-robot
added
approved
|
/unassign |
openshift-merge-robot
removed
the
needs-rebase
|
cc @openshift/sig-security |
openshift-merge-robot
added
approved
openshift-ci-robot
added
size/L
|
/retest |
|
@enj PTAL |
| @@ -23,6 +23,13 @@ func NewAuthorizeAuthenticator(request authenticator.Request, handler Authentica | |||
| return &AuthorizeAuthenticator{request, handler, errorHandler} | |||
| } | |||
|
|
|||
| type TokenMaxAgeSeconds interface { | |||
There was a problem hiding this comment.
I do not know if this is the best place to define this interface.
Maybe pkg/oauth/server/osinserver/interfaces.go?
There was a problem hiding this comment.
I do not know if this is the best place to define this interface.
why not? this is the only place the interface is used
There was a problem hiding this comment.
I was not sure if we wanted to import github.com/openshift/origin/pkg/auth/oauth/handlers in pkg/oauth/server/osinserver/registrystorage/storage.go
| @@ -82,6 +82,10 @@ func (w *clientWrapper) GetUserData() interface{} { | |||
| return w.client | |||
| } | |||
|
|
|||
| func (w *clientWrapper) GetTokenMaxAgeSeconds() *int32 { | |||
There was a problem hiding this comment.
Need a type assertion for TokenMaxAgeSeconds interface.
| } | ||
|
|
||
| // Use the server and CA info | ||
| anonConfig := restclient.Config{} |
| } | ||
|
|
||
| { | ||
| five := int32(5) |
There was a problem hiding this comment.
Is 5 seconds long enough for it to not flake during load?
|
comments addressed, PTAL |
| expires := created.Add(time.Duration(token.ExpiresIn) * time.Second) | ||
| expires := "never" | ||
| if token.ExpiresIn > 0 { | ||
| expires = created.Add(time.Duration(token.ExpiresIn) * time.Second).String() |
There was a problem hiding this comment.
printOAuthClient should be updated with AccessTokenMaxAgeSeconds
| @@ -23,6 +23,13 @@ func NewAuthorizeAuthenticator(request authenticator.Request, handler Authentica | |||
| return &AuthorizeAuthenticator{request, handler, errorHandler} | |||
| } | |||
|
|
|||
| type TokenMaxAgeSeconds interface { | |||
There was a problem hiding this comment.
I was not sure if we wanted to import github.com/openshift/origin/pkg/auth/oauth/handlers in pkg/oauth/server/osinserver/registrystorage/storage.go
I don't care for now... we can hoist the interface up to a common package and do an assertion there if it becomes an issue |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
Flake #15900 |
|
/retest |
|
Flake #16248 |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 14784, 16418, 16406, 16431, 14796) |
|
@liggitt: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This allows overriding max access token age per OAuthClient.
https://trello.com/c/hNhBstvg
OAuthClient object gains a new field: accessTokenMaxAgeSeconds