caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard

Published 20 hours ago verified publisher icon greenpau

Is it possible to postpone the access_token expiration with every call?

Open carlo161 opened this issue 10 months ago • 10 comments

When I successfully login and gets forwarded to my webpage I obtain the following:

2024-04-17_12h16_50

I would like to implement some sort of a timeout: if you do not interact with the page in 10 minutes, at the next call you will have to login again. Right now I am using:

    authentication portal my_portal {
      crypto default token lifetime 600
      cookie lifetime 7200

But after 20 minutes I have to login again. With every call the expiration of the session cookie gets extended but the access_token one no. Is it possible to do that?

carlo161 avatar Apr 17 '24 14:04 carlo161

The issue appears to me that that token is a jwt that is hardcoded to expire in 900 seconds (15 minutes)

It's pretty annoying with SSO and really annoying if you do local logins or are streaming anything for any duration.

I'm actually not clear why you can even set a cookie lifetime if this limitation is still in place.

I may try to patch something myself for my own use, something like issue a new JWT if the current one expired within the last 5 or 10 minutes and is otherwise valid , but I would really love to see something similar as an official change.

jspadaro avatar Apr 23 '24 19:04 jspadaro

You have two different lifetimes: one of the token and one of the cookie holding that token. Set them both to higher number of seconds to extend the lifetime. I would keep the cookie lifetime a bit longer.

greenpau avatar Apr 23 '24 21:04 greenpau

crypto default token lifetime 7200
cookie lifetime 14440

this would be 2 hours expiration

greenpau avatar Apr 23 '24 21:04 greenpau

crypto default token lifetime 7200 cookie lifetime 14440

this would be 2 hours expiration

I am not trying to enlarge the lifetime, but to reset it with every interaction. If the user keeps on working with the page the lifetime is potentially eternal, but as soon as he stops, after for example 10 minutes the token expires.

carlo161 avatar Apr 23 '24 21:04 carlo161

@carlo161 , are you asking for the ability to refresh the token just before it expires?

greenpau avatar Apr 23 '24 21:04 greenpau

As long as the user is active?

greenpau avatar Apr 23 '24 21:04 greenpau

Ah, I was mistaken. Either way, my overarching confusion was "Why have a longer cookie lifetime if the JWT expiring kills the session?"

Anyway, back to this issue - yes, @greenpau , I think the ask is to make the token auto-refresh / have the expiration extend to now+increment on every request

jspadaro avatar Apr 23 '24 21:04 jspadaro

Yes, right. I would like to refresh the token with every call, as long as the user is active.

carlo161 avatar Apr 23 '24 21:04 carlo161

Following this for further information. Since i would like to refresh the token on every call too.

alyssondiasmec avatar Jun 13 '24 15:06 alyssondiasmec

Any update on this? This plugin already support token refresh?

alyssondiasmec avatar Jul 22 '24 14:07 alyssondiasmec