Consider token lifetime extension semantics of TCR API

vmware-tanzu / pinniped

Pinniped is the easy, secure way to log in to your Kubernetes clusters.

https://pinniped.dev

Apache License 2.0

566 stars 66 forks source link

Consider token lifetime extension semantics of TCR API #1027

Open enj opened 2 years ago

enj commented 2 years ago

Today TCR will give you a certificate that is valid until end := time.Now() + 5*time.Minute even if the input token has a expiration time that is before end. This is problematic as one can use the TCR API to effectively extend the lifetime of the token. Ideally we would have a way to issue a certificate that has the exact same expiration as the input token.

enj commented 2 years ago

Well maybe not the exact same lifetime, but instead use min(safe_max_irrevocable_cred, token_exp).