search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

Is it possible to postpone the access_token expiration with every call? #335

Open carlo161 opened 7 months ago

carlo161 commented 7 months ago

When I successfully login and gets forwarded to my webpage I obtain the following:

2024-04-17_12h16_50

I would like to implement some sort of a timeout: if you do not interact with the page in 10 minutes, at the next call you will have to login again. Right now I am using:

    authentication portal my_portal {
      crypto default token lifetime 600
      cookie lifetime 7200

But after 20 minutes I have to login again. With every call the expiration of the session cookie gets extended but the access_token one no. Is it possible to do that?

jspadaro commented 6 months ago

The issue appears to me that that token is a jwt that is hardcoded to expire in 900 seconds (15 minutes)

It's pretty annoying with SSO and really annoying if you do local logins or are streaming anything for any duration.

I'm actually not clear why you can even set a cookie lifetime if this limitation is still in place.

I may try to patch something myself for my own use, something like issue a new JWT if the current one expired within the last 5 or 10 minutes and is otherwise valid , but I would really love to see something similar as an official change.

greenpau commented 6 months ago

You have two different lifetimes: one of the token and one of the cookie holding that token. Set them both to higher number of seconds to extend the lifetime. I would keep the cookie lifetime a bit longer.

greenpau commented 6 months ago

crypto default token lifetime 7200
cookie lifetime 14440

this would be 2 hours expiration

carlo161 commented 6 months ago

crypto default token lifetime 7200 cookie lifetime 14440

this would be 2 hours expiration

I am not trying to enlarge the lifetime, but to reset it with every interaction. If the user keeps on working with the page the lifetime is potentially eternal, but as soon as he stops, after for example 10 minutes the token expires.

greenpau commented 6 months ago

@carlo161 , are you asking for the ability to refresh the token just before it expires?

greenpau commented 6 months ago

As long as the user is active?

jspadaro commented 6 months ago

Ah, I was mistaken. Either way, my overarching confusion was "Why have a longer cookie lifetime if the JWT expiring kills the session?"

Anyway, back to this issue - yes, @greenpau , I think the ask is to make the token auto-refresh / have the expiration extend to now+increment on every request

carlo161 commented 6 months ago

Yes, right. I would like to refresh the token with every call, as long as the user is active.

alyssondiasmec commented 5 months ago

Following this for further information. Since i would like to refresh the token on every call too.

alyssondiasmec commented 3 months ago

Any update on this? This plugin already support token refresh?

amc1999 commented 3 days ago

It is a critical issue for our project: users have to stay logged in for as long as they are active (GET, POST,....). The only option for me now is to set lifetime = 2 years, which is not a proper solution but rather a desperate measures.