From 6411dc9504427fb8cf7b0fff62d470e36fd4dbb0 Mon Sep 17 00:00:00 2001 From: Anis Eleuch Date: Fri, 28 Jul 2023 05:25:47 +0100 Subject: [PATCH] auth: Avoid forcing one hour expiration for IDP sts creds (#2966) --- pkg/auth/idp/oauth2/config.go | 15 ++++++++++++--- pkg/auth/idp/oauth2/provider.go | 21 +++++++++++---------- pkg/auth/token/config.go | 2 +- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/pkg/auth/idp/oauth2/config.go b/pkg/auth/idp/oauth2/config.go index bc46bd4f6..6c2e867e3 100644 --- a/pkg/auth/idp/oauth2/config.go +++ b/pkg/auth/idp/oauth2/config.go @@ -20,7 +20,9 @@ package oauth2 import ( "crypto/sha1" + "strconv" "strings" + "time" "github.com/minio/console/pkg/auth/token" "github.com/minio/pkg/env" @@ -105,7 +107,14 @@ func getIDPScopes() string { return env.Get(ConsoleIDPScopes, "openid,profile,email") } -// getIDPTokenExpiration return default token expiration for access token (in seconds) -func getIDPTokenExpiration() string { - return env.Get(ConsoleIDPTokenExpiration, "3600") +// getIDPTokenExpiration return default token expiration for access token +func getIDPTokenExpiration() time.Duration { + expiration := 12 * 3600 + if expStr := env.Get(ConsoleIDPTokenExpiration, ""); expStr != "" { + if exp, err := strconv.Atoi(expStr); err == nil { + expiration = exp + } + } + + return time.Duration(expiration) * time.Second } diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go index 24aab3858..94ac56676 100644 --- a/pkg/auth/idp/oauth2/provider.go +++ b/pkg/auth/idp/oauth2/provider.go @@ -25,13 +25,13 @@ import ( "fmt" "net/http" "net/url" - "strconv" "strings" "time" "github.com/minio/minio-go/v7/pkg/credentials" "github.com/minio/minio-go/v7/pkg/set" + "github.com/minio/console/pkg/auth/token" "github.com/minio/console/pkg/auth/utils" "golang.org/x/crypto/pbkdf2" "golang.org/x/oauth2" @@ -331,22 +331,23 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN return nil, errors.New("invalid token") } - // expiration configured in the token itself - expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()) - - // check if user configured a hardcoded expiration for console via env variables - // and override the incoming expiration - userConfiguredExpiration := getIDPTokenExpiration() - if userConfiguredExpiration != "" { - expiration, _ = strconv.Atoi(userConfiguredExpiration) + expiration := token.GetConsoleSTSDuration() + if exp := getIDPTokenExpiration(); exp > 0 { + expiration = exp } + + // Use the expiration configured in the token itself if it is closer than the configured value + if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration { + expiration = exp + } + idToken := oauth2Token.Extra("id_token") if idToken == nil { return nil, errors.New("missing id_token") } token := &credentials.WebIdentityToken{ Token: idToken.(string), - Expiry: expiration, + Expiry: int(expiration.Seconds()), } if client.UserInfo { // look for access_token only if userinfo is requested. accessToken := oauth2Token.Extra("access_token") diff --git a/pkg/auth/token/config.go b/pkg/auth/token/config.go index 9ee918881..7a2828a57 100644 --- a/pkg/auth/token/config.go +++ b/pkg/auth/token/config.go @@ -26,7 +26,7 @@ import ( // GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 12h) func GetConsoleSTSDuration() time.Duration { duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "12h")) - if err != nil { + if err != nil || duration <= 0 { duration = 12 * time.Hour } return duration