Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider token lifetime extension semantics of TCR API #1027

Open
enj opened this issue Feb 19, 2022 · 1 comment
Open

Consider token lifetime extension semantics of TCR API #1027

enj opened this issue Feb 19, 2022 · 1 comment
Labels
chore Not a bug or an enhancement, but still a work item priority/undecided Not yet prioritized

Comments

@enj
Copy link
Contributor

enj commented Feb 19, 2022
edited
Loading

Today TCR will give you a certificate that is valid until end := time.Now() + 5*time.Minute even if the input token has a expiration time that is before end. This is problematic as one can use the TCR API to effectively extend the lifetime of the token. Ideally we would have a way to issue a certificate that has the exact same expiration as the input token.
@enj
Copy link
Contributor Author

enj commented Feb 19, 2022

Well maybe not the exact same lifetime, but instead use min(safe_max_irrevocable_cred, token_exp).

@pinniped-ci-bot pinniped-ci-bot added enhancement New feature or request priority/undecided Not yet prioritized chore Not a bug or an enhancement, but still a work item and removed enhancement New feature or request labels Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore Not a bug or an enhancement, but still a work item priority/undecided Not yet prioritized
Projects
Pinniped roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enj @pinniped-ci-bot