benesch
commented
3 weeks ago @chaas I'm going to drop this into the Surfaces Team project for now, for lack of a better home.
Open benesch opened 3 weeks ago
benesch
commented
3 weeks ago @chaas I'm going to drop this into the Surfaces Team project for now, for lack of a better home.
benesch
commented
2 weeks ago @matthewarthur proposes a default expiration time of 1 year.
Summary
Details
Setting an expiration time on API tokens is considered security best practice. We should allow users to configure an expiration time for both personal and service app passwords.
We should also suggest users follow best practices by using a conservative default for the expiration time, like 60 days or 365 days.
Ideally, we'd also let users with the Organization Admin role set the maximum allowable expiration time for their organization. I don't think we'd want to force a maximum expiration time on our users—it can be very frustrating to have to frequently rotate service tokens, and many organizations would likely balk at the prospect, despite the enhanced security it provides.
Unfortunately, Frontegg doesn't support expiration on the type of API tokens we use ("client credentials"). (At least, their docs don't indicate that the
expiresInMinutesfield is supported; worth double checking, though!) We'd have to ask them to build this, or build it ourselves on top of themetadatafield. If we did build it ourselves, we wouldn't have any way to let organization admins constrain the allowable expiration times, since that constraint would need to be enforced in Frontegg's API.cc @morsapaes @matthewarthur