From 748486160f4924b2a76ab41f7ea5803631bfd52e Mon Sep 17 00:00:00 2001
From: Adrian Najera <39295224+adriangitvitz@users.noreply.github.com>
Date: Fri, 8 Dec 2023 11:58:46 -0600
Subject: [PATCH] FIX: Use STS env variable to increase the IDP token
 expiration (#3132)

Share link duration is based on the token expiration,
this increases the IDP token expiration so the share link
is able to last longer, by using an env variable called
MINIO_STS_DURATION
---
 pkg/auth/idp/oauth2/config.go   | 14 --------------
 pkg/auth/idp/oauth2/provider.go | 24 ++++++++++++++----------
 2 files changed, 14 insertions(+), 24 deletions(-)

diff --git a/pkg/auth/idp/oauth2/config.go b/pkg/auth/idp/oauth2/config.go
index 9b91c9a40..f726a1e73 100644
--- a/pkg/auth/idp/oauth2/config.go
+++ b/pkg/auth/idp/oauth2/config.go
@@ -20,9 +20,7 @@ package oauth2
 
 import (
 	"crypto/sha1"
-	"strconv"
 	"strings"
-	"time"
 
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/pkg/v2/env"
@@ -106,15 +104,3 @@ func getSaltForIDPHmac() string {
 func getIDPScopes() string {
 	return env.Get(ConsoleIDPScopes, "openid,profile,email")
 }
-
-// getIDPTokenExpiration return default token expiration for access token
-func getIDPTokenExpiration() time.Duration {
-	expiration := 12 * 3600
-	if expStr := env.Get(ConsoleIDPTokenExpiration, ""); expStr != "" {
-		if exp, err := strconv.Atoi(expStr); err == nil {
-			expiration = exp
-		}
-	}
-
-	return time.Duration(expiration) * time.Second
-}
diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go
index d1d6494bf..062eafa5c 100644
--- a/pkg/auth/idp/oauth2/provider.go
+++ b/pkg/auth/idp/oauth2/provider.go
@@ -28,11 +28,11 @@ import (
 	"strings"
 	"time"
 
-	"github.com/minio/minio-go/v7/pkg/credentials"
-	"github.com/minio/minio-go/v7/pkg/set"
-
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/console/pkg/auth/utils"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/minio/minio-go/v7/pkg/set"
+	"github.com/minio/pkg/v2/env"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/oauth2"
 	xoauth2 "golang.org/x/oauth2"
@@ -331,14 +331,18 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 		}
 		client.RefreshToken = oauth2Token.RefreshToken
 
-		expiration := token.GetConsoleSTSDuration()
-		if exp := getIDPTokenExpiration(); exp > 0 {
-			expiration = exp
-		}
+		envStsDuration := env.Get(token.ConsoleSTSDuration, "")
+		stsDuration, err := time.ParseDuration(envStsDuration)
 
-		// Use the expiration configured in the token itself if it is closer than the configured value
-		if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration {
-			expiration = exp
+		expiration := 12 * time.Hour
+
+		if err == nil && stsDuration > 0 {
+			expiration = stsDuration
+		} else {
+			// Use the expiration configured in the token itself if it is closer than the configured value
+			if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration {
+				expiration = exp
+			}
 		}
 
 		// Minimum duration in S3 spec is 15 minutes, do not bother returning