Closed Bug 1388548 Opened 7 years ago Closed 7 years ago

Set expiration of issued temporary credentials

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

https://wiki.mozilla.org/Security/Guidelines/OpenID_connect
The web application (RP) must invalidate the user session when the ID token reaches expiration or sooner (the expiration time is generally a UNIX timestamp attribute named exp).

If the user's complete session duration is longer than 15 minutes, must re-check/update the ID token every 15 minutes or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions. 

This suggests that, whatever the duration of the access_token, the returned credentials should be good for only 15 minutes, requiring a new call to oidcCredentials after that time, which will re-poll the profile and correctly represent any changed credentials at that time.
Commits pushed to master at https://github.com/taskcluster/taskcluster-login

https://github.com/taskcluster/taskcluster-login/commit/e10b2638941897fb823167edc365138eb6327c7d
Bug 1388548 - set short expiration on credentials from oidcCredentials

https://wiki.mozilla.org/Security/Guidelines/OpenID_connect suggests
that callers re-check tokens every 15 minutes to gather any changes to
the user account. With this change, we force clients of
Taskcluster-login to do the same.

https://github.com/taskcluster/taskcluster-login/commit/b6a40f1ba01ad6e3bad6d99acc59ac4c03e3848a
Merge pull request #53 from djmitche/bug1388548

Bug 1388548 - set short expiration on credentials from oidcCredentials
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Login → Services
You need to log in before you can comment on or make changes to this bug.