Open jkroepke opened 2 years ago
To gain more information, why we have such a low access token lifetime in our system:
https://www.pcidssguide.com/pci-dss-session-timeout-requirements/
PCI DSS requirement 8.1.8 requires the user to re-authenticate to reactivate the terminal or session if a session has been idle for more than 15 minutes. The PCI DSS inactive session timeout requirement applies to administrative or internal accounts.
From my point of view, solutions like https://github.com/argoproj/argo-workflows/pull/4095 won't help here, since the JWE generated by ArgoCD must have a short life access time, otherwise it might be a conflict with PCI.
@jkroepke I understand the point for idle session but what about refreshing tokens' on explicit user actions ? (clicking "Refresh", "Sync" buttons, etc)
Good point, explicit user action should be supported as well as idle sessions
Hello @jkroepke , thanks for this initiative! I have added some information that happens to us in this ticket It seems that it's happening exactly as you describe
Same story here, even with 1 hour token it's very disruptive. Please can you do this re-login in background?
Can I work on this after review of this PR: https://github.com/argoproj/argo-cd/pull/15004
This issues has 50 upvotes. It is important. OIDC access/ID tokens are short lived - 5m sometimes. The refresh_token grant is used to implicitly get new tokens without the user needing to fully re-authenticate every 5m. The grant also returns a new refresh token on each call but with its expiration ticked down. When it reaches the total lifetime - that's when users should re-auth.
Hi, I'm coming from https://github.com/argoproj/argo-cd/issues/455
Summary
Implement refresh tokens in ArgoCD Web UI.
Motivation
For security reasons, all access tokens are short-living (5 minutes) and refresh token (12 hours).
I full understand the "re-logging in should be as convenient as possible" these, but I opened an application in ArgoCD Web UI. It wont refresh the UI. After 5 minutes, I only see a lot of 401 requests. I dont get any notification that my session is expired and I need to refresh the page manually. This is confuse a lot of peoples.
Proposal
1. Implement refresh tokens
If a token is expired, use the refresh token to refresh an existing token. As I know, the refresh token can be stored inside browser as cookie, too.
2. Do a full browser reload, if sessions is expired.
Is may not fully fix the problem, but it helps a lot since the Web UI can't be out of date anymore. A full browser reload is fine here, because from IDP perspective, I'm still logged in and get instantly redirected back to ArgoCD.