From 468c74d1d28af4d08b9a5d9200721e158f415301 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20Ga=C3=9F?= <m.gass@babiel.com>
Date: Thu, 13 Dec 2018 11:40:58 +0100
Subject: [PATCH] Make expiry of auth requests configurable
---
cmd/dex/config.go | 3 +++
cmd/dex/config_test.go | 6 ++++--
cmd/dex/serve.go | 8 ++++++++
server/handlers.go | 2 +-
server/server.go | 9 ++++++---
5 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
index dde36978..0071b4fd 100644
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -233,6 +233,9 @@ type Expiry struct {
// IdTokens defines the duration of time for which the IdTokens will be valid.
IDTokens string `json:"idTokens"`
+
+ // AuthRequests defines the duration of time for which the AuthRequests will be valid.
+ AuthRequests string `json:"authRequests"`
}
// Logger holds configuration required to customize logging for dex.
diff --git a/cmd/dex/config_test.go b/cmd/dex/config_test.go
index e1b29f78..5ed8a58e 100644
--- a/cmd/dex/config_test.go
+++ b/cmd/dex/config_test.go
@@ -64,6 +64,7 @@ staticPasswords:
expiry:
signingKeys: "6h"
idTokens: "24h"
+ authRequests: "24h"
logger:
level: "debug"
@@ -131,8 +132,9 @@ logger:
},
},
Expiry: Expiry{
- SigningKeys: "6h",
- IDTokens: "24h",
+ SigningKeys: "6h",
+ IDTokens: "24h",
+ AuthRequests: "24h",
},
Logger: Logger{
Level: "debug",
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index dcc0c352..10200a30 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -242,6 +242,14 @@ func serve(cmd *cobra.Command, args []string) error {
logger.Infof("config id tokens valid for: %v", idTokens)
serverConfig.IDTokensValidFor = idTokens
}
+ if c.Expiry.AuthRequests != "" {
+ authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
+ if err != nil {
+ return fmt.Errorf("invalid config value %q for auth request expiry: %v", c.Expiry.AuthRequests, err)
+ }
+ logger.Infof("config auth requests valid for: %v", authRequests)
+ serverConfig.AuthRequestsValidFor = authRequests
+ }
serv, err := server.NewServer(context.Background(), serverConfig)
if err != nil {
diff --git a/server/handlers.go b/server/handlers.go
index acbd19bf..b309191d 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -160,7 +160,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
// screen too long.
//
// See: https://github.com/dexidp/dex/issues/646
- authReq.Expiry = s.now().Add(24 * time.Hour) // Totally arbitrary value.
+ authReq.Expiry = s.now().Add(s.authRequestsValidFor)
if err := s.storage.CreateAuthRequest(authReq); err != nil {
s.logger.Errorf("Failed to create authorization request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Failed to connect to the database.")
diff --git a/server/server.go b/server/server.go
index adf872eb..cf9f7b47 100644
--- a/server/server.go
+++ b/server/server.go
@@ -68,8 +68,9 @@ type Config struct {
// Logging in implies approval.
SkipApprovalScreen bool
- RotateKeysAfter time.Duration // Defaults to 6 hours.
- IDTokensValidFor time.Duration // Defaults to 24 hours
+ RotateKeysAfter time.Duration // Defaults to 6 hours.
+ IDTokensValidFor time.Duration // Defaults to 24 hours
+ AuthRequestsValidFor time.Duration // Defaults to 24 hours
GCFrequency time.Duration // Defaults to 5 minutes
@@ -137,7 +138,8 @@ type Server struct {
now func() time.Time
- idTokensValidFor time.Duration
+ idTokensValidFor time.Duration
+ authRequestsValidFor time.Duration
logger logrus.FieldLogger
}
@@ -197,6 +199,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
storage: newKeyCacher(c.Storage, now),
supportedResponseTypes: supported,
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
+ authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
skipApproval: c.SkipApprovalScreen,
now: now,
templates: tmpls,
--
GitLab