search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
192 stars 274 forks source link

[BUG] JWT expiry setting not honored #1448

Open GuiTeK opened 3 years ago

GuiTeK commented 3 years ago

Describe the bug The code of this repository (see AuthTokenProcessorHandler:L354) and this comment suggest there is a JWT expiry setting. However, when setting it like below, it doesn't work (JWT expiry is still the default 60 * 60 seconds).

config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    kibana:
      multitenancy_enabled: false
    http:
      anonymous_auth_enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates (for Kibana Server)"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "clientcert"
          config:
            username_attribute: "cn"
          challenge: false
        authentication_backend:
          type: "noop"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: "saml"
          challenge: true
          config:
            idp:
              metadata_url: "https://subdomain.okta.com/app/xxx/sso/saml/metadata"
              entity_id: "http://www.okta.com/xxx"
            sp:
              entity_id: "logs-kibana-saml"
            kibana_url: "https://kb.logs.example.com/"
            roles_key: "Roles"
            exchange_key: "xxx"
            jwt:
              expiry: NOW+10
        authentication_backend:
          type: "noop"

To Reproduce Steps to reproduce the behavior:

  1. Set the config.yml of the security plugin to the contents shown above
  2. Apply it with securityadmin.sh
  3. Log in Kibana
  4. Wait for 10-20 seconds
  5. Refresh a Kibana page and see that the session is still valid/no re-login is required

Expected behavior Setting jwt.expiry should change the TTL of the generated JWT.

Host/Environment (please complete the following information):

opendistro-alerting               1.13.1.0-1 
opendistro-anomaly-detection      1.13.0.0-1
opendistro-asynchronous-search    1.13.0.1-1
opendistro-index-management       1.13.2.0-1
opendistro-job-scheduler          1.13.0.0-1
opendistro-knn                    1.13.0.0-1
opendistro-knnlib                 1.13.0.0
opendistro-performance-analyzer   1.13.0.0-1
opendistro-reports-scheduler      1.13.0.0-1
opendistro-security               1.13.1.0-1
opendistro-sql                    1.13.2.0-1
opendistroforelasticsearch        1.13.2-1
sandervandegeijn commented 2 years ago

Seems related to https://github.com/opensearch-project/security-dashboards-plugin/issues/828

stephen-crawford commented 1 year ago

[Triage] Issue remains relevant as it is at least tangentially related to ongoing work on session management.