Closed
Bug 1388548
Opened 7 years ago
Closed 7 years ago
Set expiration of issued temporary credentials
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
https://wiki.mozilla.org/Security/Guidelines/OpenID_connect
The web application (RP) must invalidate the user session when the ID token reaches expiration or sooner (the expiration time is generally a UNIX timestamp attribute named exp).
If the user's complete session duration is longer than 15 minutes, must re-check/update the ID token every 15 minutes or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions.
This suggests that, whatever the duration of the access_token, the returned credentials should be good for only 15 minutes, requiring a new call to oidcCredentials after that time, which will re-poll the profile and correctly represent any changed credentials at that time.
Assignee | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/taskcluster-login
https://github.com/taskcluster/taskcluster-login/commit/e10b2638941897fb823167edc365138eb6327c7d
Bug 1388548 - set short expiration on credentials from oidcCredentials
https://wiki.mozilla.org/Security/Guidelines/OpenID_connect suggests
that callers re-check tokens every 15 minutes to gather any changes to
the user account. With this change, we force clients of
Taskcluster-login to do the same.
https://github.com/taskcluster/taskcluster-login/commit/b6a40f1ba01ad6e3bad6d99acc59ac4c03e3848a
Merge pull request #53 from djmitche/bug1388548
Bug 1388548 - set short expiration on credentials from oidcCredentials
Assignee | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment hidden (obsolete) |
Updated•6 years ago
|
Component: Login → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•