search

heartcombo / devise

Flexible authentication solution for Rails with Warden.
http://blog.plataformatec.com.br/tag/devise/
MIT License
23.95k stars 5.55k forks source link

Session lifetime and omniauth access token expiration #5300

Open denishaskin opened 3 years ago

denishaskin commented 3 years ago

Environment

Current behavior

I'm trying to understand the interaction of devise and omniauth-oauth2 in regard to session duration and Oauth2 access_token expiration. I'm working through the code and trying to figure out what's handled "out of the box" and what we might need to implement for our application (or how much of this is already handled by devise/omniauth integration).

Basically, OAuth2 access tokens expire (typically with a relatively short duration, often one hour). When an access token has expired the application should re-authenticate the user, but there's also a refresh token mechanism that can be used to (as you might guess) refresh the access token without having to go through the whole user login process.

So basically, we want the (devise) session expiration time for a user who has authenticated via a given SSO authentication provider to be less than or equal to the access token expiration time, so that we ensure that we re-authenticate the user when the access token has expired. If we don't, we don't really know if the user is properly authenticated (what if the user has been disabled or removed at the SSO authentication provider?).

As far as I've been able to tell, though, the devise session lifetime (through rememberable) is not affected by this integration with omniauth. Is this something we need to handle ourselves? Anyone have any pointers on this?

(and apologies if this is too much of a question for a github issue, and should be on SO)

Expected behavior

Devise's session lifetime (via rememberable) should not be longer than a provider's expiration.

nayna123 commented 2 years ago

@denishaskin Did you get any solution for this problem ? I have a similar requirement, so checking if there is any way out for setting devise's session expiration based on SSO access token.

jason-linthwaite commented 1 year ago

I'm also trying to understand this... I can't seem to find any docs or guides on how this actually works. Did you find anything out?

santiagomartinez commented 1 year ago

One way you can do that is overriding #remember_me?(token, generated_at) (defined here) in the user model.

In the override, instead of checking for (self.class.remember_for.ago < generated_at) you can do something like Time.zone.now < DATE_WHEN_OMNIAUTH_TOKEN_EXPIRES (previously storing the Omniauth expiration date when the user logs in) or whatever fits your needs.