Allow users to set an expiration time for both personal and service app passwords.
Choose a conservative expiration time (60 days? 365 days?) by default.
Details
Setting an expiration time on API tokens is considered security best practice. We should allow users to configure an expiration time for both personal and service app passwords.
We should also suggest users follow best practices by using a conservative default for the expiration time, like 60 days or 365 days.
Ideally, we'd also let users with the Organization Admin role set the maximum allowable expiration time for their organization. I don't think we'd want to force a maximum expiration time on our users—it can be very frustrating to have to frequently rotate service tokens, and many organizations would likely balk at the prospect, despite the enhanced security it provides.
Unfortunately, Frontegg doesn't support expiration on the type of API tokens we use ("client credentials"). (At least, their docs don't indicate that the expiresInMinutes field is supported; worth double checking, though!) We'd have to ask them to build this, or build it ourselves on top of the metadata field. If we did build it ourselves, we wouldn't have any way to let organization admins constrain the allowable expiration times, since that constraint would need to be enforced in Frontegg's API.
Summary
Details
Setting an expiration time on API tokens is considered security best practice. We should allow users to configure an expiration time for both personal and service app passwords.
We should also suggest users follow best practices by using a conservative default for the expiration time, like 60 days or 365 days.
Ideally, we'd also let users with the Organization Admin role set the maximum allowable expiration time for their organization. I don't think we'd want to force a maximum expiration time on our users—it can be very frustrating to have to frequently rotate service tokens, and many organizations would likely balk at the prospect, despite the enhanced security it provides.
Unfortunately, Frontegg doesn't support expiration on the type of API tokens we use ("client credentials"). (At least, their docs don't indicate that the
expiresInMinutes
field is supported; worth double checking, though!) We'd have to ask them to build this, or build it ourselves on top of themetadata
field. If we did build it ourselves, we wouldn't have any way to let organization admins constrain the allowable expiration times, since that constraint would need to be enforced in Frontegg's API.cc @morsapaes @matthewarthur