1333012 – Token expiration isn't obvious and is annoying

Bug 1333012 - Token expiration isn't obvious and is annoying

Summary: Token expiration isn't obvious and is annoying

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Dan Mace
QA Contact:	weiwei jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	OSOPS_V3
TreeView+	depends on / blocked

Reported:	2016-05-04 14:02 UTC by Dan McPherson
Modified:	2019-03-29 15:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-23 17:32:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dan McPherson 2016-05-04 14:02:09 UTC

Description of problem:

As a user, I would like more transparency and features around using token for the cli.  Namely:

- It isn't obvious how long my token will last
- It isn't obvious if I can change my token expiration
- A longer default expiration would be nice

Comment 1 Jordan Liggitt 2016-05-04 14:57:10 UTC

- It isn't obvious how long my token will last

We can display that

- It isn't obvious if I can change my token expiration

As an end user, you cannot

- A longer default expiration would be nice

Settable by the cluster admin, I don't think we'd go longer than 24 hours by default.

Comment 2 Vikas Laad 2016-05-05 15:15:45 UTC

I was running my tests and it started failing after 24 hrs, Server should extend the expiry date on token if its in use. Its like a session, if its in use extend it.

Comment 3 Jordan Liggitt 2016-05-05 15:40:53 UTC

> Server should extend the expiry date on token if its in use. Its like a session, if its in use extend it.

No, the expiration is intended to ensure that the authenticated user is still present. Reaffirming the identity with the configured identity provider does that, while extending the token does not.

Comment 6 weiwei jiang 2016-05-11 02:58:41 UTC

Checked on dev-preview-int, and the 31 days token still not take effect.

Comment 7 Abhishek Gupta 2016-05-11 16:43:18 UTC

This bug is still in the MODIFIED state - I will move it to ON_QA when the configuration has been applied to INT/STG.

Comment 8 Abhishek Gupta 2016-05-13 19:55:32 UTC

Can you please verify this in STG now?

Comment 9 weiwei jiang 2016-05-16 06:29:47 UTC

Checked with  dev-preview-stg, and the 31 days token still not take effect.

[root@dev-preview-stg-master-defb2 ~]# oc get oauthaccesstokens msaw4-g4TF60eUxKvtl-_1gv1f41l254WIn9lyVLCNM
NAME                                          USER NAME   CLIENT NAME             CREATED                         EXPIRES                         REDIRECT URI                                                  SCOPES
msaw4-g4TF60eUxKvtl-_1gv1f41l254WIn9lyVLCNM   wjiangjay   openshift-web-console   2016-05-16 02:28:20 +0000 UTC   2016-05-17 02:28:20 +0000 UTC   https://console.dev-preview-stg.openshift.com/console/oauth   


And the master-config have 2 tokenConfig fields, and seems the second take effect:

oauthConfig:
  alwaysShowProviderSelection: True
  templates:
    error: /etc/openshift-online/ui-extensions/custom-templates/oauth-error-dev.html
    providerSelection: /etc/openshift-online/ui-extensions/custom-templates/provider-selection-dev.html
  tokenConfig:
    accessTokenMaxAgeSeconds: 2678400
    authorizeTokenMaxAgeSeconds: 300
  assetPublicURL: https://console.dev-preview-stg.openshift.com/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: false
    login: true
    mappingMethod: lookup
    name: github
    provider:
      apiVersion: v1
      clientID: 64adcbe3d8c7f05fdce6
      clientSecret: fae839769da535ec778edfe1a500cb0c152acd58
      kind: GitHubIdentityProvider
  masterCA: ca.crt
  masterPublicURL: https://api.dev-preview-stg.openshift.com
  masterURL: https://internal.api.dev-preview-stg.openshift.com
  sessionConfig:
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: /etc/origin/master/session-secrets.yaml
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500

Comment 11 Dan Mace 2016-05-16 20:36:59 UTC

Should be corrected in INT and STG per https://github.com/openshift/online/issues/138#issuecomment-219539660

Comment 12 weiwei jiang 2016-05-17 06:53:30 UTC

Checked with dev-preview-stg, and now the token max age is 31 days

Comment 13 weiwei jiang 2016-05-17 06:55:46 UTC

And dev-preview-int is also 31 days max age for token

Note You need to log in before you can comment on or make changes to this bug.