[eduVPN-deploy] Profile Authorization / ACLs / Permissions
François Kooman
fkooman at tuxed.net
Wed Dec 12 14:06:58 CET 2018
On 12.12.18 12:36, Jørn Åne wrote:
> For our instance, I'd like to have (relative) short browser
> sessions, e.g. 8 hours max, but long validity (months) for refresh
> tokens and certificates. The reason for this is that a certificate
> and a refresh token typically are locked to a device. However, using
> the browser session, new refresh tokens and certificates can be
> issued, so this needs a shorter lifetime.
That's a good point. I should probably not make the browser session
duration configurable and just keep 8 hours. If we change this, it
should become maybe something more like 30 minutes. We could, in the
case of SAML, even use forceAuthn after say 30 minutes.
> I'd recommend for short browser sessions anyway; the browser session
> is only used for giving consent and managing profiles. There is no
> need for a user to be allowed in without authentication over longer
> periods of time, and interactions with the webinterface can be
> typically described as "log in, do a job, get out", there is no
> expectation of staying logged in after the job is done. This is
> different from a VPN client, where a user may expect it to work every
> time without being required to log in.
The way it currently works is that the time of the user's authentication
if used to determine how long a certificate / refresh_token is valid. So
if the session timeout is 8 hours, and after 4 hours you'd request a new
client certificate it would only be valid for 4 hours, the same for
OAuth refresh_tokens.
Regards,
François
More information about the eduVPN-deploy
mailing list