Bug 1983062 - The rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout gets FAIL when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s”
Summary: The rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout gets FAIL when...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.9.0
Assignee: Jakub Hrozek
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On: 1990836
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-16 11:27 UTC by xiyuan
Modified: 2021-11-10 07:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-10 07:37:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4530 0 None None None 2021-11-10 07:37:28 UTC

Description xiyuan 2021-07-16 11:27:47 UTC
Description of problem:
The rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout gets FAIL when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s”; However, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, the rule gets PASS and there is no such issue.

Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-07-15-221145 + compliance-operator-v0.1.35

How reproducible:
always
Steps to Reproduce:
1. deploy compliance operator
2. Configure the OAuth server timeout, and wait until all pods in openshift-authentication namespace restart finished.
# oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"600s"}}}' --type=merge
oauth.config.openshift.io/cluster patched
# oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'
600s
3. Create ssb:
# oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

4. Check the scan result for rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout 

Actual results:
The scan result for rule  ocp4-moderate-oauth-or-oauthclient-inactivity-timeout is FAIL when  the OAuth server timeout is configured
# oc get checkresult ocp4-moderate-oauth-or-oauthclient-inactivity-timeout
NAME                                                    STATUS   SEVERITY
ocp4-moderate-oauth-or-oauthclient-inactivity-timeout   FAIL     medium

Expected results:
When the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s”
, the rule should be PASS.
Per the instructions, the rule could be PASS when the OAuth server timeout is configured, or the OAuth client timeout is configured
# oc get checkresult ocp4-moderate-oauth-or-oauthclient-inactivity-timeout -o=jsonpath={.instructions}
To check if the OAuth server timeout is configured, run the following command:
oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'
the output should return a timeout value.

To check if the OAuth client timeout is configured, run the following command:
oc get oauthclients -ojson | jq -r '.items[] | { accessTokenInactivityTimeoutSeconds: .accessTokenInactivityTimeoutSeconds}'
the output should return a timeout value per client.

Additional info: 
However, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, there is no such issue and rule gets PASS
# oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"10min0s"}}}' --type=merge
oauth.config.openshift.io/cluster patched

Comment 2 xiyuan 2021-07-19 11:31:48 UTC
@Matt
Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “10min0s”, there is no such issue and rule gets PASS.
The only problem is "600s" is valid configuration for oauth cluster. Why it doesn't work work for this rule? Thanks.

Comment 3 Jakub Hrozek 2021-07-20 09:30:28 UTC
(In reply to xiyuan from comment #2)
> @Matt
> Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is
> configured as “10min0s”, there is no such issue and rule gets PASS.
> The only problem is "600s" is valid configuration for oauth cluster. Why it
> doesn't work work for this rule? Thanks.

Because the rule uses a variable and the rule's check asserts equality between the variable's value and the value in the API object. There's no way to convert the variable value between 600s and 10m0s in openscap even though they mean the same thing. And for some reason (I guess as a result of validation), the oauth server converts the value in seconds into value in minutes and seconds, so 600s becomes 10m0s on the oauth server side.

The confusing instructions that say 600s should be fixed with the commit Matt linked which changed the value we check for from 600s to 10m0s.

For now, if you can verify that the latest content builds show 10m in the instructions, I would leave the variable in. We will be working on exposing the variables better in one of the upcoming releases. If you think it would help, we can document in the instructions that the values are converted. As a last resort, we could remove the variable completely, but I wouldn't like that to be honest.

Comment 4 xiyuan 2021-07-22 10:26:53 UTC
(In reply to Jakub Hrozek from comment #3)
> (In reply to xiyuan from comment #2)
> > @Matt
> > Yes, when the OAuth server timeout parameter accessTokenInactivityTimeout is
> > configured as “10min0s”, there is no such issue and rule gets PASS.
> > The only problem is "600s" is valid configuration for oauth cluster. Why it
> > doesn't work work for this rule? Thanks.
> 
> Because the rule uses a variable and the rule's check asserts equality
> between the variable's value and the value in the API object. There's no way
> to convert the variable value between 600s and 10m0s in openscap even though
> they mean the same thing. And for some reason (I guess as a result of
> validation), the oauth server converts the value in seconds into value in
> minutes and seconds, so 600s becomes 10m0s on the oauth server side.
> 
> The confusing instructions that say 600s should be fixed with the commit
> Matt linked which changed the value we check for from 600s to 10m0s.
> 
> For now, if you can verify that the latest content builds show 10m in the
> instructions, I would leave the variable in. We will be working on exposing
> the variables better in one of the upcoming releases. If you think it would
> help, we can document in the instructions that the values are converted. As
> a last resort, we could remove the variable completely, but I wouldn't like
> that to be honest.

@jhrozek
Document it would be enough(in the instuction or openshift docs are both fine). I confirmed when 10min0s was set, the rule is working as expected.

Comment 5 Jakub Hrozek 2021-07-22 14:28:58 UTC
PR: https://github.com/ComplianceAsCode/content/pull/7273

Comment 6 Jakub Hrozek 2021-07-23 19:01:00 UTC
Fixed in https://github.com/ComplianceAsCode/content/pull/7273

Comment 10 xiyuan 2021-08-24 14:48:09 UTC
Hi Jakub,
I didn't find the note added for the rule.
Did I use the wrong command? Thanks.
Could you help to double check? Thanks.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-23-224104   True        False         4h6m    Cluster version is 4.9.0-0.nightly-2021-08-23-224104
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-64zqn   compliance-operator.v0.1.39   Automatic   true
$ oc get csv
NAME                              DISPLAY                            VERSION    REPLACES   PHASE
compliance-operator.v0.1.39       Compliance Operator                0.1.39                Succeeded
elasticsearch-operator.5.2.0-43   OpenShift Elasticsearch Operator   5.2.0-43              Succeeded
$ oc get profilebundle.compliance
NAME     CONTENTIMAGE                                                                                                                               CONTENTFILE         STATUS
ocp4     registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7527f52d9ce5f22fe5453b23eb490ce1f7e64e0cf7112b13a294c4bc442ae35d   ssg-ocp4-ds.xml     VALID
rhcos4   registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7527f52d9ce5f22fe5453b23eb490ce1f7e64e0cf7112b13a294c4bc442ae35d   ssg-rhcos4-ds.xml   VALID

$ oc get pod
NAME                                            READY   STATUS    RESTARTS       AGE
compliance-operator-78f66d7ddf-26989            1/1     Running   1 (3m7s ago)   3m53s
ocp4-openshift-compliance-pp-6d7c7db4bd-h5qv6   1/1     Running   0              2m31s
rhcos4-openshift-compliance-pp-c7b548bd-j6h4s   1/1     Running   0              2m31s

$ oc get rule ocp4-oauth-or-oauthclient-inactivity-timeout  -o=jsonpath={.description}
You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set.

The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.

To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
  tokenConfig:
    accessTokenInactivityTimeout: 10m0s

For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html

To edit the OAuth client inactivity timeout, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenInactivityTimeoutSeconds attribute.

apiVersion: oauth.openshift.io/v1
grantMethod: auto
kind: OAuthClient
metadata:
...
accessTokenInactivityTimeoutSeconds: 600

For more information on configuring the OAuth clients, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth

$ oc-compliance view-result ocp4-moderate-oauth-or-oauthclient-inactivity-timeout
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|         KEY          |                                                                                            VALUE                                                                                            |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Title                | Configure OAuth tokens to                                                                                                                                                                   |
|                      | expire after a set period of                                                                                                                                                                |
|                      | inactivity                                                                                                                                                                                  |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Status               | FAIL                                                                                                                                                                                        |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Severity             | medium                                                                                                                                                                                      |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description          | You can configure OAuth tokens                                                                                                                                                              |
|                      | to expire after a set period                                                                                                                                                                |
|                      | of inactivity. By default, no                                                                                                                                                               |
|                      | token inactivity timeout is                                                                                                                                                                 |
|                      | set.                                                                                                                                                                                        |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | The inactivity timeout can be                                                                                                                                                               |
|                      | either set in the OAuth server                                                                                                                                                              |
|                      | configuration or in any of                                                                                                                                                                  |
|                      | the OAuth clients. The client                                                                                                                                                               |
|                      | settings override the OAuth                                                                                                                                                                 |
|                      | server setting.                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | To set the OAuth server inactivity                                                                                                                                                          |
|                      | timeout, edit the OAuth server                                                                                                                                                              |
|                      | object: oc edit oauth cluster and set                                                                                                                                                       |
|                      | the.spec.tokenConfig.accessTokenInactivityTimeout                                                                                                                                           |
|                      | parameter to the desired value:                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | apiVersion:                                                                                                                                                                                 |
|                      | config.openshift.io/v1                                                                                                                                                                      |
|                      |                                                                                                                                                                                             |
|                      | kind: OAuth                                                                                                                                                                                 |
|                      |                                                                                                                                                                                             |
|                      | metadata:                                                                                                                                                                                   |
|                      |                                                                                                                                                                                             |
|                      | ...                                                                                                                                                                                         |
|                      |                                                                                                                                                                                             |
|                      | spec:                                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      |   tokenConfig:                                                                                                                                                                              |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | accessTokenInactivityTimeout:                                                                                                                                                               |
|                      | 10m0s                                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | For more information on configuring the OAuth server, consult the OpenShift documentation:                                                                                                  |
|                      | https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | To edit the OAuth client inactivity                                                                                                                                                         |
|                      | timeout, edit the OAuth client                                                                                                                                                              |
|                      | object: oc edit oauthclient                                                                                                                                                                 |
|                      | $clientname and set the top-level                                                                                                                                                           |
|                      | accessTokenInactivityTimeoutSeconds                                                                                                                                                         |
|                      | attribute.                                                                                                                                                                                  |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | apiVersion:                                                                                                                                                                                 |
|                      | oauth.openshift.io/v1                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      | grantMethod: auto                                                                                                                                                                           |
|                      |                                                                                                                                                                                             |
|                      | kind: OAuthClient                                                                                                                                                                           |
|                      |                                                                                                                                                                                             |
|                      | metadata:                                                                                                                                                                                   |
|                      |                                                                                                                                                                                             |
|                      | ...                                                                                                                                                                                         |
|                      |                                                                                                                                                                                             |
|                      | accessTokenInactivityTimeoutSeconds:                                                                                                                                                        |
|                      |                                                                                                                                                                                         600 |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | For more information on configuring the OAuth clients, consult the OpenShift documentation:                                                                                                 |
|                      | https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Rationale            | Terminating an idle session                                                                                                                                                                 |
|                      | within a short time period                                                                                                                                                                  |
|                      | reduces the window of                                                                                                                                                                       |
|                      | opportunity for unauthorized                                                                                                                                                                |
|                      | personnel to take control of                                                                                                                                                                |
|                      | a session that has been left                                                                                                                                                                |
|                      | unattended.                                                                                                                                                                                 |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Instructions         | To check if the OAuth server                                                                                                                                                                |
|                      | timeout is configured, run the                                                                                                                                                              |
|                      | following command:                                                                                                                                                                          |
|                      |                                                                                                                                                                                             |
|                      | oc get oauth cluster                                                                                                                                                                        |
|                      | -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'                                                                                                                               |
|                      |                                                                                                                                                                                             |
|                      | the output should return a                                                                                                                                                                  |
|                      | timeout value.                                                                                                                                                                              |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | To check if the OAuth client                                                                                                                                                                |
|                      | timeout is configured, run the                                                                                                                                                              |
|                      | following command:                                                                                                                                                                          |
|                      |                                                                                                                                                                                             |
|                      | oc get oauthclients -ojson                                                                                                                                                                  |
|                      | | jq -r '.items[] | {                                                                                                                                                                       |
|                      | accessTokenInactivityTimeoutSeconds:                                                                                                                                                        |
|                      | .accessTokenInactivityTimeoutSeconds}'                                                                                                                                                      |
|                      |                                                                                                                                                                                             |
|                      | the output should return a                                                                                                                                                                  |
|                      | timeout value per client.                                                                                                                                                                   |
...

Comment 11 Jakub Hrozek 2021-08-24 18:25:39 UTC
Looking at the git log, I see that I've only added the new content to the oauth-inactivity-timeout rule, not to the compound one. Can you verify that the text looks good over there and if it does, I'll copy it over to the compound rule.
Thanks for bringing this up.

Comment 12 xiyuan 2021-08-25 10:42:29 UTC
Hi Jakub,
Yes, it is available in the description for rule ocp4-oauth-inactivity-timeout.
Is it possible to update note in the instruction part for rule ocp4-oauth-or-oauthclient-inactivity-timeout? Thanks. Not sure it is reasonable or not.

$ oc get rule ocp4-oauth-inactivity-timeout -o=jsonpath={.description}
You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set.

The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.

To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
  tokenConfig:
    accessTokenInactivityTimeout:

Please note that the OAuth server converts the value internally to a human-readable format,
so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth
server to accessTokenInactivityTimeout=10m0s.

For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html[xiyuan@MiWiFi-RA69-srv func]

Comment 14 Jakub Hrozek 2021-08-25 12:06:58 UTC
Addressed with https://github.com/ComplianceAsCode/content/pull/7462
Thanks again for bringing this up.

Comment 19 Prashant Dhamdhere 2021-09-24 11:53:31 UTC
[Bug_Verification]

It looks good. Now, The rule descriptions has note which clarifies the things about accessTokenInactivityTimeout
parameter and it's value which user can refer.

Verified on:
4.9.0-0.nightly-2021-09-23-142241 + compliance-operator.v0.1.41


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-09-23-142241   True        False         8h      Cluster version is 4.9.0-0.nightly-2021-09-23-142241

$ oc get csv
NAME                             DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.41      Compliance Operator                0.1.41               Succeeded
elasticsearch-operator.5.2.2-7   OpenShift Elasticsearch Operator   5.2.2-7              Succeeded

$ oc get pods
NAME                                              READY   STATUS      RESTARTS        AGE
compliance-operator-c769749d5-8pjgm               1/1     Running     1 (7h55m ago)   7h56m
ocp4-openshift-compliance-pp-64dbd7c98f-dwhdz     1/1     Running     0               7h54m
rhcos4-openshift-compliance-pp-66575dc885-lb9vh   1/1     Running     0               7h54m


$ oc get rules ocp4-oauth-or-oauthclient-inactivity-timeout -ojsonpath={.description}
You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set.

The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.

To set the OAuth server inactivity timeout, edit the OAuth server object: oc edit oauth cluster and set the.spec.tokenConfig.accessTokenInactivityTimeout parameter to the desired value:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
  tokenConfig:
    accessTokenInactivityTimeout: 10m0s

Please note that the OAuth server converts the value internally to a human-readable format,
so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth
server to accessTokenInactivityTimeout=10m0s.

For more information on configuring the OAuth server, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html

To edit the OAuth client inactivity timeout, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenInactivityTimeoutSeconds attribute.

apiVersion: oauth.openshift.io/v1
grantMethod: auto
kind: OAuthClient
metadata:
...
accessTokenInactivityTimeoutSeconds: 600

For more information on configuring the OAuth clients, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth




$ oc-compliance view-result ocp4-moderate-oauth-or-oauthclient-inactivity-timeout |head -100
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|         KEY          |                                                                                            VALUE                                                                                            |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Title                | Configure OAuth tokens to                                                                                                                                                                   |
|                      | expire after a set period of                                                                                                                                                                |
|                      | inactivity                                                                                                                                                                                  |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Status               | FAIL                                                                                                                                                                                        |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Severity             | medium                                                                                                                                                                                      |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description          | You can configure OAuth tokens                                                                                                                                                              |
|                      | to expire after a set period                                                                                                                                                                |
|                      | of inactivity. By default, no                                                                                                                                                               |
|                      | token inactivity timeout is                                                                                                                                                                 |
|                      | set.                                                                                                                                                                                        |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | The inactivity timeout can be                                                                                                                                                               |
|                      | either set in the OAuth server                                                                                                                                                              |
|                      | configuration or in any of                                                                                                                                                                  |
|                      | the OAuth clients. The client                                                                                                                                                               |
|                      | settings override the OAuth                                                                                                                                                                 |
|                      | server setting.                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | To set the OAuth server inactivity                                                                                                                                                          |
|                      | timeout, edit the OAuth server                                                                                                                                                              |
|                      | object: oc edit oauth cluster and set                                                                                                                                                       |
|                      | the.spec.tokenConfig.accessTokenInactivityTimeout                                                                                                                                           |
|                      | parameter to the desired value:                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | apiVersion:                                                                                                                                                                                 |
|                      | config.openshift.io/v1                                                                                                                                                                      |
|                      |                                                                                                                                                                                             |
|                      | kind: OAuth                                                                                                                                                                                 |
|                      |                                                                                                                                                                                             |
|                      | metadata:                                                                                                                                                                                   |
|                      |                                                                                                                                                                                             |
|                      | ...                                                                                                                                                                                         |
|                      |                                                                                                                                                                                             |
|                      | spec:                                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      |   tokenConfig:                                                                                                                                                                              |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | accessTokenInactivityTimeout:                                                                                                                                                               |
|                      | 10m0s                                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | Please note that the OAuth                                                                                                                                                                  |
|                      | server converts the value                                                                                                                                                                   |
|                      | internally to a human-readable                                                                                                                                                              |
|                      | format,                                                                                                                                                                                     |
|                      |                                                                                                                                                                                             |
|                      | so that e.g. setting                                                                                                                                                                        |
|                      | accessTokenInactivityTimeout=600s                                                                                                                                                           |
|                      | would be converted by the OAuth                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | server to                                                                                                                                                                                   |
|                      | accessTokenInactivityTimeout=10m0s.                                                                                                                                                         |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | For more information on configuring the OAuth server, consult the OpenShift documentation:                                                                                                  |
|                      | https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | To edit the OAuth client inactivity                                                                                                                                                         |
|                      | timeout, edit the OAuth client                                                                                                                                                              |
|                      | object: oc edit oauthclient                                                                                                                                                                 |
|                      | $clientname and set the top-level                                                                                                                                                           |
|                      | accessTokenInactivityTimeoutSeconds                                                                                                                                                         |
|                      | attribute.                                                                                                                                                                                  |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | apiVersion:                                                                                                                                                                                 |
|                      | oauth.openshift.io/v1                                                                                                                                                                       |
|                      |                                                                                                                                                                                             |
|                      | grantMethod: auto                                                                                                                                                                           |
|                      |                                                                                                                                                                                             |
|                      | kind: OAuthClient                                                                                                                                                                           |
|                      |                                                                                                                                                                                             |
|                      | metadata:                                                                                                                                                                                   |
|                      |                                                                                                                                                                                             |
|                      | ...                                                                                                                                                                                         |
|                      |                                                                                                                                                                                             |
|                      | accessTokenInactivityTimeoutSeconds:                                                                                                                                                        |
|                      |                                                                                                                                                                                         600 |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      |                                                                                                                                                                                             |
|                      | For more information on configuring the OAuth clients, consult the OpenShift documentation:                                                                                                 |

Comment 21 errata-xmlrpc 2021-11-10 07:37:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4530


Note You need to log in before you can comment on or make changes to this bug.