[eduVPN-deploy] Profile Authorization / ACLs / Permissions
Jørn Åne
jorn.dejong at uninett.no
Wed Dec 12 12:36:10 CET 2018
On 12/12/2018 12:16, François Kooman wrote:
> The way this new permissions model will be implemented is this: issue
> OAuth tokens and certificates that expire at the exact same time
> together with the browser session. So if a VPN server chose to require
> the user to authenticate every 8 hours, the browser session, the OAuth
> token (actually the refresh_token) and the issued X.509 client
> certificate will all be valid for exactly 8 hours after user
> authentication, thus forcing a new authentication every 8 hours. This
> already works well with the Let's Connect!/eduVPN applications!
For our instance, I'd like to have (relative) short browser sessions,
e.g. 8 hours max, but long validity (months) for refresh tokens and
certificates. The reason for this is that a certificate and a refresh
token typically are locked to a device. However, using the browser
session, new refresh tokens and certificates can be issued, so this
needs a shorter lifetime.
I'd recommend for short browser sessions anyway; the browser session is
only used for giving consent and managing profiles. There is no need
for a user to be allowed in without authentication over longer periods
of time, and interactions with the webinterface can be typically
described as "log in, do a job, get out", there is no expectation of
staying logged in after the job is done. This is different from a VPN
client, where a user may expect it to work every time without being
required to log in.
--
Jørn Åne
Systemutvikler
Uninett AS
jorn.dejong at uninett.no
+47 95 36 10 17
www.uninett.no
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20181212/9534c0c7/attachment.sig>
More information about the eduVPN-deploy
mailing list