FIX: Use STS env variable to increase the IDP token expiration (#3132)
Share link duration is based on the token expiration, this increases the IDP token expiration so the share link is able to last longer, by using an env variable called MINIO_STS_DURATION
This commit is contained in:
Adrian Najera
GitHub
@@ -20,9 +20,7 @@ package oauth2
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha1"
|
"crypto/sha1"
|
||||||
"strconv"
|
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/minio/console/pkg/auth/token"
|
"github.com/minio/console/pkg/auth/token"
|
||||||
"github.com/minio/pkg/v2/env"
|
"github.com/minio/pkg/v2/env"
|
||||||
@@ -106,15 +104,3 @@ func getSaltForIDPHmac() string {
|
|||||||
func getIDPScopes() string {
|
func getIDPScopes() string {
|
||||||
return env.Get(ConsoleIDPScopes, "openid,profile,email")
|
return env.Get(ConsoleIDPScopes, "openid,profile,email")
|
||||||
}
|
}
|
||||||
|
|
||||||
// getIDPTokenExpiration return default token expiration for access token
|
|
||||||
func getIDPTokenExpiration() time.Duration {
|
|
||||||
expiration := 12 * 3600
|
|
||||||
if expStr := env.Get(ConsoleIDPTokenExpiration, ""); expStr != "" {
|
|
||||||
if exp, err := strconv.Atoi(expStr); err == nil {
|
|
||||||
expiration = exp
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return time.Duration(expiration) * time.Second
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -28,11 +28,11 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
|
||||||
"github.com/minio/minio-go/v7/pkg/set"
|
|
||||||
|
|
||||||
"github.com/minio/console/pkg/auth/token"
|
"github.com/minio/console/pkg/auth/token"
|
||||||
"github.com/minio/console/pkg/auth/utils"
|
"github.com/minio/console/pkg/auth/utils"
|
||||||
|
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||||
|
"github.com/minio/minio-go/v7/pkg/set"
|
||||||
|
"github.com/minio/pkg/v2/env"
|
||||||
"golang.org/x/crypto/pbkdf2"
|
"golang.org/x/crypto/pbkdf2"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
xoauth2 "golang.org/x/oauth2"
|
xoauth2 "golang.org/x/oauth2"
|
||||||
@@ -331,14 +331,18 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
|
|||||||
}
|
}
|
||||||
client.RefreshToken = oauth2Token.RefreshToken
|
client.RefreshToken = oauth2Token.RefreshToken
|
||||||
|
|
||||||
expiration := token.GetConsoleSTSDuration()
|
envStsDuration := env.Get(token.ConsoleSTSDuration, "")
|
||||||
if exp := getIDPTokenExpiration(); exp > 0 {
|
stsDuration, err := time.ParseDuration(envStsDuration)
|
||||||
expiration = exp
|
|
||||||
}
|
|
||||||
|
|
||||||
// Use the expiration configured in the token itself if it is closer than the configured value
|
expiration := 12 * time.Hour
|
||||||
if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration {
|
|
||||||
expiration = exp
|
if err == nil && stsDuration > 0 {
|
||||||
|
expiration = stsDuration
|
||||||
|
} else {
|
||||||
|
// Use the expiration configured in the token itself if it is closer than the configured value
|
||||||
|
if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration {
|
||||||
|
expiration = exp
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Minimum duration in S3 spec is 15 minutes, do not bother returning
|
// Minimum duration in S3 spec is 15 minutes, do not bother returning
|
||||||
|
|||||||
Reference in New Issue
Block a user