Project

General

Profile

Actions
Copy link

Feature #16678

closed

Default lifetime for tokens issued through login

Added by Peter Amstutz over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
API
Target version:
2020-08-26 Sprint
Story points:
-
Release:
Arvados 2.1.0
Release relationship:
Auto

Description

Add a configuration where tokens issued through web login have a default lifetime. An expiration time of 8 or 12 hours implements a policy where users are required to log in again each day, and limits the amount of time an attacker could make use of a stolen token. The token is prevented from manipulating other tokens (i.e. getting other tokens or creating a new token without an expiration).

Document this feature in the admin section.

Subtasks 1 (0 open1 closed)

Task #16690: Review 16678-login-tokens-lifetime-configResolvedLucas Di Pentima08/24/2020Actions

Related issues

Related to Arvados Epics - Idea #16520: GxP QualificationResolved08/01/202004/30/2021Actions
Actions
Copy link
 #1

Updated by Peter Amstutz over 3 years ago

  • Category set to API
  • Description updated (diff)
Actions
Copy link
 #2

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Peter Amstutz over 3 years ago

Actions
Copy link
 #4

Updated by Peter Amstutz over 3 years ago

  • Target version set to 2020-08-26 Sprint
Actions
Copy link
 #5

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #6

Updated by Lucas Di Pentima over 3 years ago

  • Assigned To set to Lucas Di Pentima
Actions
Copy link
 #7

Updated by Lucas Di Pentima over 3 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #8

Updated by Peter Amstutz over 3 years ago

  • Release set to 25
Actions
Copy link
 #9

Updated by Lucas Di Pentima over 3 years ago

Updates at 00e16fb - branch 16678-login-tokens-lifetime-config
Test run: developer-run-tests: #2026

  • Sets new config knob Login.TokenLifetime that takes a Duration value that will be used to set the expires_at field on ApiClientAuthorization resources. Its default value is zero meaning that the feature is disabled.
    • Now that I see it with fresh eyes after the weekend, it may be more consistent to name it something like Login.TokenTTL
  • On tokens created from a login flow:
    • Set the token expiration date if configured.
    • Set the is_trusted flag to false even if coming from trusted URLs (workbenches) to avoid the user to create new tokens.
  • Adds rake tasks db:check_long_lived_tokens and db:fix_long_lived_tokens to allow the site admin to migrate from a previous token policy (eg: unexpiring tokens) to a more strict policy wrt to preexistent tokens.

Pending: Documentation

Actions
Copy link
 #10

Updated by Lucas Di Pentima over 3 years ago

Documentation added at 46fefa537

Actions
Copy link
 #11

Updated by Peter Amstutz over 3 years ago

I pushed some updates to the documentation at 3e38df9fabcbf421ef0b0aac2e82f92373c0e70f rest LGTM!

Actions
Copy link
 #12

Updated by Anonymous over 3 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF