Closed Bug 1388548 Opened 7 years ago Closed 7 years ago

Set expiration of issued temporary credentials

Categories

(Taskcluster :: Services, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

https://wiki.mozilla.org/Security/Guidelines/OpenID_connect The web application (RP) must invalidate the user session when the ID token reaches expiration or sooner (the expiration time is generally a UNIX timestamp attribute named exp). If the user's complete session duration is longer than 15 minutes, must re-check/update the ID token every 15 minutes or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions. This suggests that, whatever the duration of the access_token, the returned credentials should be good for only 15 minutes, requiring a new call to oidcCredentials after that time, which will re-poll the profile and correctly represent any changed credentials at that time.
Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/e10b2638941897fb823167edc365138eb6327c7d Bug 1388548 - set short expiration on credentials from oidcCredentials https://wiki.mozilla.org/Security/Guidelines/OpenID_connect suggests that callers re-check tokens every 15 minutes to gather any changes to the user account. With this change, we force clients of Taskcluster-login to do the same. https://github.com/taskcluster/taskcluster-login/commit/b6a40f1ba01ad6e3bad6d99acc59ac4c03e3848a Merge pull request #53 from djmitche/bug1388548 Bug 1388548 - set short expiration on credentials from oidcCredentials
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Login → Services
You need to log in before you can comment on or make changes to this bug.