[eduVPN-deploy] issues with "expiry at night"
François Kooman
fkooman at tuxed.net
Sat Jun 12 10:11:34 CEST 2021
On 10.06.21 08:26, François Kooman via eduVPN-deploy wrote:
> We discovered some issues with "expiry at night" functionality that we
> added recently (in 2.3.10) [1]. The good news is, it is off by default,
> but please refrain from enabling it for now!
To quickly follow up:
It turns out backporting features from the eduVPN/Let's Connect! 3.x
branch to 2.x is not without risks. Due to the (completely) different
way of handling "expiry" in 3.x it is not trivial to implement this in
2.x in a "correct" way. We'll have to rethink the feature from the start
and decide whether it is worth (still) implementing this in 2.x or just
defer to 3.x.
The problem we are running into is that the way the "session expiry" is
calculated does not integrate well with how we handle the validity of
OAuth sessions and therefore OAuth refresh tokens are rejected way
earlier than they should, which could result in... the need to restart
the VPN in the middle of the day at about half the expected expiry time.
To summarize: do NOT use "expiry at night!"
Regards,
François
More information about the eduVPN-deploy
mailing list