Andrew Martinez

While there is a solution to this issue, we have a chance to improve our documentation. We should have reference guides for integrating w/ Google/Auth0/etc.

The goal is to support complex logic to allow different success paths. The performance to evaluate a single check is tiny and of no real consequence.

1. SDKs can extend their certs, but don't. As the capability becomes implemented clients will begin to do so. This allows someone to enforce cert expiration w/o losing existing clients....

> It feels dangerous to lock the default admin permanently. I assume the goal is to impede brute forcing the password, so a tarpit is sufficient to make brute forcing...

If the authenticator is being effectively revoked (by being replaced) it makes sense that all API sessions tied to that authenticator be removed. I do understand that this makes it...

This functionality refers to legacy authentication (i.e. non-OIDC). OpenZiti is moving to a new authentication model where this issue is handled differently (through revocations) that can be issued. Closing due...

> Which configuration could become centralized? The first round are configurations that must/should be the same between controllers. - OIDC configuration - enrollment durations for routers/identities - API rate limiters...

This would occur any time a controller action (admin, posture check, etc.) takes place that removes a session (i.e. admin delete session, admin delete API session, admin delete identity, etc)....

We have talked about this internally before. There is a cost in user complexity to having per-signer mappings, and we haven't moved in that direction because of it. We understand...