search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.47k stars 5.32k forks source link

Implement refresh tokens in ArgoCD Web UI #8325

Open jkroepke opened 2 years ago

jkroepke commented 2 years ago

Hi, I'm coming from https://github.com/argoproj/argo-cd/issues/455

Summary

Implement refresh tokens in ArgoCD Web UI.

Motivation

For security reasons, all access tokens are short-living (5 minutes) and refresh token (12 hours).

I full understand the "re-logging in should be as convenient as possible" these, but I opened an application in ArgoCD Web UI. It wont refresh the UI. After 5 minutes, I only see a lot of 401 requests. I dont get any notification that my session is expired and I need to refresh the page manually. This is confuse a lot of peoples.

Proposal

1. Implement refresh tokens

If a token is expired, use the refresh token to refresh an existing token. As I know, the refresh token can be stored inside browser as cookie, too.

2. Do a full browser reload, if sessions is expired.

Is may not fully fix the problem, but it helps a lot since the Web UI can't be out of date anymore. A full browser reload is fine here, because from IDP perspective, I'm still logged in and get instantly redirected back to ArgoCD.

jkroepke commented 2 years ago

To gain more information, why we have such a low access token lifetime in our system:

https://www.pcidssguide.com/pci-dss-session-timeout-requirements/

PCI DSS requirement 8.1.8 requires the user to re-authenticate to reactivate the terminal or session if a session has been idle for more than 15 minutes. The PCI DSS inactive session timeout requirement applies to administrative or internal accounts.

From my point of view, solutions like https://github.com/argoproj/argo-workflows/pull/4095 won't help here, since the JWE generated by ArgoCD must have a short life access time, otherwise it might be a conflict with PCI.

MrLuje commented 1 year ago

@jkroepke I understand the point for idle session but what about refreshing tokens' on explicit user actions ? (clicking "Refresh", "Sync" buttons, etc)

jkroepke commented 1 year ago

Good point, explicit user action should be supported as well as idle sessions

ricardojdsilva87 commented 1 year ago

Hello @jkroepke , thanks for this initiative! I have added some information that happens to us in this ticket It seems that it's happening exactly as you describe

Hronom commented 1 year ago

Same story here, even with 1 hour token it's very disruptive. Please can you do this re-login in background?

GeorgiYosifov commented 1 year ago

Can I work on this after review of this PR: https://github.com/argoproj/argo-cd/pull/15004

michaelajr commented 2 weeks ago

This issues has 50 upvotes. It is important. OIDC access/ID tokens are short lived - 5m sometimes. The refresh_token grant is used to implicitly get new tokens without the user needing to fully re-authenticate every 5m. The grant also returns a new refresh token on each call but with its expiration ticked down. When it reaches the total lifetime - that's when users should re-auth.