Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anonymous auth provider ignores global idle timeout #94206

Closed
legrego opened this issue Mar 9, 2021 · 8 comments
Closed

Anonymous auth provider ignores global idle timeout #94206

legrego opened this issue Mar 9, 2021 · 8 comments
Assignees
@azasypkin
Labels
bug Fixes for quality problems that affect the customer experience Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Mar 9, 2021

The anonymous provider does not respect the idle timeout specified by xpack.security.session.idleTimeout.

Steps to reproduce

  1. Configure Kibana to use the anonymous provider with a global idle timeout:
xpack.security.session.idleTimeout: 2m
xpack.security.authc.selector.enabled: true
xpack.security.authc.providers:
      anonymous:
         anonymous:
            order: 0
            showInSelector: true
            enabled: true
            credentials:
               username: "elastic"
               password: "changeme"
  1. Login using the anonymous provider
  2. Wait the designated time for the session to idly expire

Expected

The user should get a warning 1 minute before the idle expiration time.
After that 1 minute, the session should expire if there was no further activity.

Actual

The user is never warned about the idle session, and the session never expires.
@legrego legrego added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/Authentication Platform Security - Authentication labels Mar 9, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin
Copy link
Member

I'll take a look tomorrow to confirm, but if I remember correctly that was intentional decision so that global default idle timeout doesn't mess up with anonymous sessions since it doesn't make much sense there and may feel confusing (and since we'll have 1h default in 8.0). The idea was that if admins really want to change idle timeout for anonymous sessions for some reason they need to change it for the anonymous provider explicitly. Not sure why it's not captured in the docs though 🙈

Do you feel we need to change that behavior?

@jportner
Copy link
Contributor

jportner commented Mar 9, 2021

if I remember correctly that was intentional decision so that global default idle timeout doesn't mess up with anonymous sessions since it doesn't make much sense there and may feel confusing

I thought so too.

The idea was that if admins really want to change idle timeout for anonymous sessions for some reason they need to change it for the anonymous provider explicitly.
...

Do you feel we need to change that behavior?

I'm thinking that we shouldn't change the current behavior. I'm curious to know @legrego 's reasoning though, maybe there's something I'm missing?

Not sure why it's not captured in the docs though 🙈

Yeah... it should be 🤭

@legrego
Copy link
Member Author

legrego commented Mar 9, 2021

Thanks @azasypkin & @jportner for refreshing my memory. I was testing some changes to session timeouts, and it took me a while to understand why nothing was happening.

I agree with your assessment, let's not change this behavior. We should document this as intentional though, so you can point me to the docs next time I question this 😄

@azasypkin
Copy link
Member

I agree with your assessment, let's not change this behavior. We should document this as intentional though, so you can point me to the docs next time I question this smile

Good, I'll update docs then 👍

@azasypkin azasypkin mentioned this issue Mar 17, 2021
Merged
@azasypkin
Copy link
Member

Good, I'll update docs then +1

Will be done here: #92376

@azasypkin
Copy link
Member

Docs were updated. @legrego do you want us to do anything else in the scope of this issue or we can close it now?

@legrego
Copy link
Member Author

legrego commented Mar 29, 2021

Nope, good to close. Thanks!

@legrego legrego closed this as completed Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azasypkin azasypkin

Labels
bug Fixes for quality problems that affect the customer experience Feature:Security/Authentication Platform Security - Authentication Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@azasypkin @legrego @jportner @elasticmachine