[eduVPN-deploy] native apps OAuth refresh token expiry
François Kooman
fkooman at tuxed.net
Wed Jan 10 13:56:16 CET 2018
Hi,
The newly released vpn-user-portal 1.4.6 supports expiring OAuth 2.0
refresh tokens. Those refresh tokens are used by the native applications
[1] to obtain VPN configurations without bothering the user every time
to authenticate.
Before vpn-user-portal would issue refresh tokens that never expired.
This makes sense in some situations, but especially in the "eduVPN
context" it makes sense to have users reauthorize (and thus in effect
reauthenticate) once in a while to e.g. avoid students that finished
studying from being able to use the VPN service indefinitely.
For new deploys the default for the expiry will be 6 months. This is
automatically configured in /etc/vpn-user-portal/default/config.php
under Api with the key refreshTokenExpiry:
'Api' => [
// access_tokens expire after 1 hour
'tokenExpiry' => 3600,
// refresh_tokens expire after 6 months
'refreshTokenExpiry' => 'P6M',
For existing deploys, this key will not be there, and will default to 1
year (the OAuth server's default). Existing refresh tokens that were
valid "indefinitely" still remain valid forever (until the user revokes
them through the user portal).
You can add the refreshTokenExpiry key (under Api) and modify the value
according to ISO 8601 "Durations" [1]. For example. 1 day is "P1D", 1
week is "P1W", 1 year is "P1Y".
If you want to remove existing "authorizations" so the client is forced
to authorize the application again (to get rid of refresh_tokens that
are valid forever) you can do the following.
As root:
# sqlite3 /var/lib/vpn-user-portal/default/tokens.sqlite
SQLite version 3.20.1 2017-08-24 16:21:36
Enter ".help" for usage hints.
sqlite> DELETE from authorizations;
sqlite>
Let me know if you have any questions!
Cheers,
François
[1] https://app.eduvpn.nl/
[2] https://en.wikipedia.org/wiki/ISO_8601#Durations
More information about the eduVPN-deploy
mailing list