UI should warn that token is near expiry #20859
Comments
|
@RRcwhiting thank you for the issue. Can you clarify what you mean by session? I just want to make sure I'm understanding correctly. Are you referring to a token's duration? |
|
The GUI sessions, in the web interface. |
|
@RRcwhiting got it. It does look like we can make a request to the auth/token/lookup endpoint and retrieve the users/tokens expiry information. We're going to bring this idea to design. No promises, but I also agree it would be helpful to display some kind of warning/banner. [Edited: removed due to incorrect information]. |
@Monkeychip The Standard use-cases just wanting to manage the initial default, and maximum requestable/renewable lifetime, of tokens should be looking at the |
|
@maxb Thank you! Yes. That's correct. My apologies. |
|
Hi @RRcwhiting! I've opened #23143 to show an expiration warning, which I'd love your feedback on whether you think this approach would solve your painpoint. There are a couple limitations in the current approach:
Addressing the above limitations is possible but will take more time. I wanted to check with you to get a sense if this partial fix will address most of your team's concerns. I'm also curious about this statement:
Where in the GUI would you expect the information to display? We could use the |
|
if the user is active in the UI, they're working on something and honestly would probably want to be notified they're about to have a session expire. a good test case is a veeeeery long secret file. copying and pasting things into it. it's not technically saving things in the UI, but the mouse is moving. |
Filling in inputs will not trigger "activity" until the secret is saved, so it should show the warning in that case. I will go ahead and move forward with the PR, and as things can be improved more we can open new issues to address those. How does that sound? |
|
if it still eats their homework I still have the same problem. do what you want :) |
|
right, that's why I'm trying to fully understand your situation :) From what I can tell, it sounds like they are bumping up against the inactivity timeout. My PR will help surface the fact that the token is no longer being auto-renewed, but they will still have to click "Renew token" from the user dropdown in order to not lose their work (this functionality is available today). As interim pain reduction, I might recommend your users go ahead and renew their token before they take on a large form. If they are instead getting kicked out due to their session exceeding the max TTL, my PR won't really help. In that case, I would recommend increasing the max TTL for the auth method or opening a new ticket with the expectation that the user should know when their session is approaching the max TTL. Hope that helps! |
|
Added a session timeout warning for 1.15.2 👍 |
Is your feature request related to a problem? Please describe.
My team is frustrated when their work gets eaten by Vault midway through working on a large secret.
Describe the solution you'd like
The UI should warn you how long your session is remaining.
Describe alternatives you've considered
Token describe capability on the GUI would be nice, but requiring a user to use the console inspector is bad UX.
Explain any additional use-cases
diagnosing the default login TTL, etc
The text was updated successfully, but these errors were encountered: