Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V14: Apply sliding window token expiry based on the configured max login lifetime #16028

Merged
merged 6 commits into from
Apr 18, 2024
Merged

V14: Apply sliding window token expiry based on the configured max login lifetime #16028

merged 6 commits into from
Apr 18, 2024

Conversation

elit0451
Copy link
Member

@elit0451 elit0451 commented Apr 10, 2024
edited
Loading

Details

Caution

> The client application needs to make some changes before we merge this PR, as there is a minimum access token lifetime set to 10mins by the library they use, which is not the case with the default 20mins timeout that we support (making it only 5mins for the access token).

  • Reimplementing session timeout which will prompt the user for re-authentication when the time has passed.
    • Making use of sliding window expiry for access and refresh token - where the access token has 4 times shorter lifetime than the refresh token which will make the client application re-request a new access token behind the scenes using the refresh token;
    • Only after the refresh token expires, the user will have to re-authenticate.

Test

  • To see the expiration take effect faster, let's change the value of Umbraco::CMS::Global::TimeOut to 00:04::00;
    • This will set the refresh token lifetime to 4 mins and the access token to 1m (25% of 4mins);
  • Using Postman:
    • Get a token (through /umbraco/management/api/v1/security/back-office/authorize and then /umbraco/management/api/v1/security/back-office/token);
      • Tip: Use ?&scope=offline_access to make sure you get a refresh token from the /token endpoint.
  • Verify that the value of "expires_in": 59, or 60 (seconds);
  • Verify that you can use the access token in a Management API endpoint;
  • Verify that you cannot use the access token in a Management API endpoint after 1 min;
  • Verify that you can get a new access token, using the refresh token as it will still be vaild;
  • Verify that if you don't use the refresh token for 4mins - it will be invalid when trying to get a new token after 4mins have passed;
  • Verify that if you change the value of Umbraco::CMS::Global::TimeOut setting, the value of the "expires_in" parameter from the response of /umbraco/management/api/v1/security/back-office/token endpoint also changes accordingly.

Note

We can go over the test scenarios together if something doesn't make sense 😉

@elit0451 elit0451 added the project/bellissima AKA "the new backoffice" label Apr 10, 2024
@iOvergaard iOvergaard mentioned this pull request Apr 16, 2024
Merged
1 task
@kjac kjac self-requested a review April 17, 2024 05:19
kjac
kjac approved these changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@kjac kjac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works great! Code looks fine too. I updated the comment to add a little more clarity when we re-read it in the future :)

@elit0451 elit0451 merged commit e33d7a7 into v14/dev Apr 18, 2024
12 of 16 checks passed
@elit0451 elit0451 deleted the v14/feature/tokens-lifetime branch April 18, 2024 06:24
@kjac kjac mentioned this pull request May 10, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kjac kjac kjac approved these changes

Assignees
No one assigned
Labels
project/bellissima AKA "the new backoffice" release/14.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elit0451 @kjac