Feature #16678
closedDefault lifetime for tokens issued through login
Description
Add a configuration where tokens issued through web login have a default lifetime. An expiration time of 8 or 12 hours implements a policy where users are required to log in again each day, and limits the amount of time an attacker could make use of a stolen token. The token is prevented from manipulating other tokens (i.e. getting other tokens or creating a new token without an expiration).
Document this feature in the admin section.
Related issues
Updated by Peter Amstutz about 4 years ago
- Category set to API
- Description updated (diff)
Updated by Peter Amstutz about 4 years ago
- Related to Idea #16520: GxP Qualification added
Updated by Peter Amstutz about 4 years ago
- Target version set to 2020-08-26 Sprint
Updated by Lucas Di Pentima about 4 years ago
- Assigned To set to Lucas Di Pentima
Updated by Lucas Di Pentima about 4 years ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima about 4 years ago
Updates at 00e16fb - branch 16678-login-tokens-lifetime-config
Test run: developer-run-tests: #2026
- Sets new config knob
Login.TokenLifetime
that takes aDuration
value that will be used to set theexpires_at
field onApiClientAuthorization
resources. Its default value is zero meaning that the feature is disabled.- Now that I see it with fresh eyes after the weekend, it may be more consistent to name it something like
Login.TokenTTL
- Now that I see it with fresh eyes after the weekend, it may be more consistent to name it something like
- On tokens created from a login flow:
- Set the token expiration date if configured.
- Set the
is_trusted
flag tofalse
even if coming from trusted URLs (workbenches) to avoid the user to create new tokens.
- Adds rake tasks
db:check_long_lived_tokens
anddb:fix_long_lived_tokens
to allow the site admin to migrate from a previous token policy (eg: unexpiring tokens) to a more strict policy wrt to preexistent tokens.
Pending: Documentation
Updated by Peter Amstutz about 4 years ago
I pushed some updates to the documentation at 3e38df9fabcbf421ef0b0aac2e82f92373c0e70f rest LGTM!
Updated by Anonymous about 4 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|bd8bdd90055d61263eff5bdb9a953c57319aa83d.