Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] JWT expiry setting not honored #1448

Open
GuiTeK opened this issue Sep 16, 2021 · 2 comments
Open

[BUG] JWT expiry setting not honored #1448

GuiTeK opened this issue Sep 16, 2021 · 2 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@GuiTeK
Copy link

GuiTeK commented Sep 16, 2021

Describe the bug
The code of this repository (see AuthTokenProcessorHandler:L354) and this comment suggest there is a JWT expiry setting. However, when setting it like below, it doesn't work (JWT expiry is still the default 60 * 60 seconds).

config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    kibana:
      multitenancy_enabled: false
    http:
      anonymous_auth_enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates (for Kibana Server)"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "clientcert"
          config:
            username_attribute: "cn"
          challenge: false
        authentication_backend:
          type: "noop"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: "saml"
          challenge: true
          config:
            idp:
              metadata_url: "https://subdomain.okta.com/app/xxx/sso/saml/metadata"
              entity_id: "http://www.okta.com/xxx"
            sp:
              entity_id: "logs-kibana-saml"
            kibana_url: "https://kb.logs.example.com/"
            roles_key: "Roles"
            exchange_key: "xxx"
            jwt:
              expiry: NOW+10
        authentication_backend:
          type: "noop"

To Reproduce
Steps to reproduce the behavior:

  1. Set the config.yml of the security plugin to the contents shown above
  2. Apply it with securityadmin.sh
  3. Log in Kibana
  4. Wait for 10-20 seconds
  5. Refresh a Kibana page and see that the session is still valid/no re-login is required

Expected behavior
Setting jwt.expiry should change the TTL of the generated JWT.

Host/Environment (please complete the following information):

  • OS: Ubuntu 20.04
  • ElasticSearch: OSS 7.10.2
  • Kibana (opendistroforelasticsearch-kibana): 1.13.2
  • OpenDistro versions:
opendistro-alerting               1.13.1.0-1 
opendistro-anomaly-detection      1.13.0.0-1
opendistro-asynchronous-search    1.13.0.1-1
opendistro-index-management       1.13.2.0-1
opendistro-job-scheduler          1.13.0.0-1
opendistro-knn                    1.13.0.0-1
opendistro-knnlib                 1.13.0.0
opendistro-performance-analyzer   1.13.0.0-1
opendistro-reports-scheduler      1.13.0.0-1
opendistro-security               1.13.1.0-1
opendistro-sql                    1.13.2.0-1
opendistroforelasticsearch        1.13.2-1
@GuiTeK GuiTeK added Beta bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Sep 16, 2021
@davidlago davidlago removed Beta untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 3, 2021
@GuiTeK GuiTeK mentioned this issue Nov 5, 2021
Closed
@sandervandegeijn
Copy link

Seems related to opensearch-project/security-dashboards-plugin#828

@davidlago davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022
@davidlago davidlago mentioned this issue Jan 31, 2023
Closed
@stephen-crawford
Copy link
Contributor

[Triage] Issue remains relevant as it is at least tangentially related to ongoing work on session management.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sandervandegeijn @davidlago @GuiTeK @stephen-crawford