github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-02-14 17:49:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(config): enable refresh tokens and automatic refreshing by default, increase default session lifetime

Browse Source
This commit is contained in:
Trong Huu Nguyen
2023-10-11 14:16:53 +02:00
parent 3594a5c8ff
commit 6dbc747aad
2 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/configuration.md
View File

@@ -11,7 +11,7 @@ The following flags are available:
| Flag | Type | Description | Default Value |
|:----------------------------------|:---------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------|
| `auto-login` | boolean | Enforce authentication if the user does not have a valid session for all matching upstream paths. Automatically redirects HTTP navigation requests to login, otherwise responds with 401 with the Location header set. | |
| `auto-login` | boolean | Enforce authentication if the user does not have a valid session for all matching upstream paths. Automatically redirects HTTP navigation requests to login, otherwise responds with 401 with the Location header set. | `false` |
| `auto-login-ignore-paths` | strings | Comma separated list of absolute paths to ignore when `auto-login` is enabled. Supports basic wildcard matching with glob-style asterisks. Invalid patterns are ignored. | |
| `bind-address` | string | Listen address for public connections. | `127.0.0.1:3000` |
| `cookie-prefix` | string | Prefix for cookie names. | `io.nais.wonderwall` |
@@ -36,22 +36,22 @@ The following flags are available:
| `redis.tls` | boolean | Whether or not to use TLS for connecting to Redis. Does not override TLS config set by `redis.uri`. | `true` |
| `redis.uri` | string | Redis URI string. Prefer using this. An empty value will fall back to `redis-address`. | |
| `redis.username` | string | Username for Redis. Does not override username set by `redis.uri`. | |
| `session.inactivity` | boolean | Automatically expire user sessions if they have not refreshed their tokens within a given duration. | |
| `session.inactivity` | boolean | Automatically expire user sessions if they have not refreshed their tokens within a given duration. | `false` |
| `session.inactivity-timeout` | duration | Inactivity timeout for user sessions. | `30m` |
| `session.max-lifetime` | duration | Max lifetime for user sessions. | `1h` |
| `session.refresh` | boolean | Enable refresh tokens. | |
| `session.refresh-auto` | boolean | Enable automatic refresh of tokens. Only available in standalone mode. Will automatically refresh tokens if they are expired as long as the session is valid (i.e. not exceeding `session.max-lifetime` or `session.inactivity-timeout`). | |
| `shutdown-graceful-period` | duration | Graceful shutdown period when receiving a shutdown signal after which the server is forcibly exited. | |
| `shutdown-wait-before-period` | duration | Wait period when receiving a shutdown signal before actually starting a graceful shutdown. Useful for allowing propagation of Endpoint updates in Kubernetes. | |
| `session.max-lifetime` | duration | Max lifetime for user sessions. | `12h` |
| `session.refresh` | boolean | Enable refresh tokens. | `true` |
| `session.refresh-auto` | boolean | Enable automatic refresh of tokens. Only available in standalone mode. Will automatically refresh tokens if they are expired as long as the session is valid (i.e. not exceeding `session.max-lifetime` or `session.inactivity-timeout`). | `true` |
| `shutdown-graceful-period` | duration | Graceful shutdown period when receiving a shutdown signal after which the server is forcibly exited. | `30s` |
| `shutdown-wait-before-period` | duration | Wait period when receiving a shutdown signal before actually starting a graceful shutdown. Useful for allowing propagation of Endpoint updates in Kubernetes. | `0s` |
| `sso.domain` | string | The domain that the session cookies should be set for, usually the second-level domain name (e.g. `example.com`). | |
| `sso.enabled` | boolean | Enable single sign-on mode; one server acting as the OIDC Relying Party, and N proxies. The proxies delegate most endpoint operations to the server, and only implements a reverse proxy that reads the user's session data from the shared store. | |
| `sso.enabled` | boolean | Enable single sign-on mode; one server acting as the OIDC Relying Party, and N proxies. The proxies delegate most endpoint operations to the server, and only implements a reverse proxy that reads the user's session data from the shared store. | `false` |
| `sso.mode` | string | The SSO mode for this instance. Must be one of `server` or `proxy`. | `server` |
| `sso.server-default-redirect-url` | string | The URL that the SSO server should redirect to by default if a given redirect query parameter is invalid. | |
| `sso.server-url` | string | The URL used by the proxy to point to the SSO server instance. | |
| `sso.session-cookie-name` | string | Session cookie name. Must be the same across all SSO Servers and Proxies that should share sessions. | |
| `upstream-host` | string | Address of upstream host. | `127.0.0.1:8080` |
| `upstream-ip` | string | IP of upstream host. Overrides 'upstream-host' if set. | |
| `upstream-port` | int | Port of upstream host. Overrides 'upstream-host' if set. | |
| `upstream-port` | int | Port of upstream host. Overrides 'upstream-host' if set. | `0` |
Boolean flags are by default set to `false` unless noted otherwise.

6
pkg/config/config.go
View File

@@ -117,9 +117,9 @@ func Initialize() (*Config, error) {
flag.Bool(SessionInactivity, false, "Automatically expire user sessions if they have not refreshed their tokens within a given duration.")
flag.Duration(SessionInactivityTimeout, 30*time.Minute, "Inactivity timeout for user sessions.")
flag.Duration(SessionMaxLifetime, time.Hour, "Max lifetime for user sessions.")
flag.Bool(SessionRefresh, false, "Enable refresh tokens.")
flag.Bool(SessionRefreshAuto, false, "Enable automatic refresh of tokens. Only available in standalone mode. Will automatically refresh tokens if they are expired as long as the session is valid (i.e. not exceeding 'session.max-lifetime' or 'session.inactivity-timeout').")
flag.Duration(SessionMaxLifetime, 10*time.Hour, "Max lifetime for user sessions.")
flag.Bool(SessionRefresh, true, "Enable refresh tokens.")
flag.Bool(SessionRefreshAuto, true, "Enable automatic refresh of tokens. Only available in standalone mode. Will automatically refresh tokens if they are expired as long as the session is valid (i.e. not exceeding 'session.max-lifetime' or 'session.inactivity-timeout').")
flag.Bool(SSOEnabled, false, "Enable single sign-on mode; one server acting as the OIDC Relying Party, and N proxies. The proxies delegate most endpoint operations to the server, and only implements a reverse proxy that reads the user's session data from the shared store.")
flag.String(SSODomain, "", "The domain that the session cookies should be set for, usually the second-level domain name (e.g. example.com).")