Feature #16678

Default lifetime for tokens issued through login

Added by Peter Amstutz about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
08/24/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

Add a configuration where tokens issued through web login have a default lifetime. An expiration time of 8 or 12 hours implements a policy where users are required to log in again each day, and limits the amount of time an attacker could make use of a stolen token. The token is prevented from manipulating other tokens (i.e. getting other tokens or creating a new token without an expiration).

Document this feature in the admin section.


Subtasks

Task #16690: Review 16678-login-tokens-lifetime-configResolvedLucas Di Pentima


Related issues

Related to Arvados Epics - Story #16520: GxP QualificationResolved08/01/202004/30/2021

Associated revisions

Revision bd8bdd90
Added by Lucas Di Pentima about 1 year ago

Merge branch '16678-login-tokens-lifetime-config'
Closes #16678

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

History

#1 Updated by Peter Amstutz about 1 year ago

  • Category set to API
  • Description updated (diff)

#2 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)

#3 Updated by Peter Amstutz about 1 year ago

#4 Updated by Peter Amstutz about 1 year ago

  • Target version set to 2020-08-26 Sprint

#5 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)

#6 Updated by Lucas Di Pentima about 1 year ago

  • Assigned To set to Lucas Di Pentima

#7 Updated by Lucas Di Pentima about 1 year ago

  • Status changed from New to In Progress

#8 Updated by Peter Amstutz about 1 year ago

  • Release set to 25

#9 Updated by Lucas Di Pentima about 1 year ago

Updates at 00e16fb - branch 16678-login-tokens-lifetime-config
Test run: https://ci.arvados.org/job/developer-run-tests/2026/

  • Sets new config knob Login.TokenLifetime that takes a Duration value that will be used to set the expires_at field on ApiClientAuthorization resources. Its default value is zero meaning that the feature is disabled.
    • Now that I see it with fresh eyes after the weekend, it may be more consistent to name it something like Login.TokenTTL
  • On tokens created from a login flow:
    • Set the token expiration date if configured.
    • Set the is_trusted flag to false even if coming from trusted URLs (workbenches) to avoid the user to create new tokens.
  • Adds rake tasks db:check_long_lived_tokens and db:fix_long_lived_tokens to allow the site admin to migrate from a previous token policy (eg: unexpiring tokens) to a more strict policy wrt to preexistent tokens.

Pending: Documentation

#10 Updated by Lucas Di Pentima about 1 year ago

Documentation added at 46fefa537

#11 Updated by Peter Amstutz about 1 year ago

I pushed some updates to the documentation at 3e38df9fabcbf421ef0b0aac2e82f92373c0e70f rest LGTM!

#12 Updated by Anonymous about 1 year ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved

Also available in: Atom PDF