From 50d6a3931274883e686b8546444d88b13a2739d8 Mon Sep 17 00:00:00 2001 From: Anis Eleuch Date: Sat, 2 Sep 2023 15:50:45 +0100 Subject: [PATCH] idp: Use 900 seconds as minimum expiry without returning an error (#3022) Do not bother the user with an error if the IDP expiry is less than 900 seconds, since the S3 spec sets a minimum of 900 seconds for STS expiration, use that minimum duration instead of returning an error Co-authored-by: Anis Elleuch Co-authored-by: Alex <33497058+bexsoft@users.noreply.github.com> --- pkg/auth/idp/oauth2/provider.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go index 3a7ffe2af..d1d6494bf 100644 --- a/pkg/auth/idp/oauth2/provider.go +++ b/pkg/auth/idp/oauth2/provider.go @@ -341,6 +341,12 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN expiration = exp } + // Minimum duration in S3 spec is 15 minutes, do not bother returning + // an error to the user and force the minimum duration instead + if expiration < 900*time.Second { + expiration = 900 * time.Second + } + idToken := oauth2Token.Extra("id_token") if idToken == nil { return nil, errors.New("missing id_token")