auth: Avoid forcing one hour expiration for IDP sts creds (#2966)

vadmeste · web-flow · commit 6411dc950442 · 2023-07-27T22:25:47.000-06:00
diff --git a/pkg/auth/idp/oauth2/config.go b/pkg/auth/idp/oauth2/config.go
@@ -20,7 +20,9 @@ package oauth2
 
 import (
 	"crypto/sha1"
+	"strconv"
 	"strings"
+	"time"
 
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/pkg/env"
@@ -105,7 +107,14 @@ func getIDPScopes() string {
 	return env.Get(ConsoleIDPScopes, "openid,profile,email")
 }
 
-// getIDPTokenExpiration return default token expiration for access token (in seconds)
-func getIDPTokenExpiration() string {
-	return env.Get(ConsoleIDPTokenExpiration, "3600")
+// getIDPTokenExpiration return default token expiration for access token
+func getIDPTokenExpiration() time.Duration {
+	expiration := 12 * 3600
+	if expStr := env.Get(ConsoleIDPTokenExpiration, ""); expStr != "" {
+		if exp, err := strconv.Atoi(expStr); err == nil {
+			expiration = exp
+		}
+	}
+
+	return time.Duration(expiration) * time.Second
 }
diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go
@@ -25,13 +25,13 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 	"time"
 
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/minio/minio-go/v7/pkg/set"
 
+	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/console/pkg/auth/utils"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/oauth2"
@@ -331,22 +331,23 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 			return nil, errors.New("invalid token")
 		}
 
-		// expiration configured in the token itself
-		expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())
+		expiration := token.GetConsoleSTSDuration()
+		if exp := getIDPTokenExpiration(); exp > 0 {
+			expiration = exp
+		}
 
-		// check if user configured a hardcoded expiration for console via env variables
-		// and override the incoming expiration
-		userConfiguredExpiration := getIDPTokenExpiration()
-		if userConfiguredExpiration != "" {
-			expiration, _ = strconv.Atoi(userConfiguredExpiration)
+		// Use the expiration configured in the token itself if it is closer than the configured value
+		if exp := oauth2Token.Expiry.Sub(time.Now().UTC()); exp < expiration {
+			expiration = exp
 		}
+
 		idToken := oauth2Token.Extra("id_token")
 		if idToken == nil {
 			return nil, errors.New("missing id_token")
 		}
 		token := &credentials.WebIdentityToken{
 			Token:  idToken.(string),
-			Expiry: expiration,
+			Expiry: int(expiration.Seconds()),
 		}
 		if client.UserInfo { // look for access_token only if userinfo is requested.
 			accessToken := oauth2Token.Extra("access_token")
diff --git a/pkg/auth/token/config.go b/pkg/auth/token/config.go
@@ -26,7 +26,7 @@ import (
 // GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 12h)
 func GetConsoleSTSDuration() time.Duration {
 	duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "12h"))
-	if err != nil {
+	if err != nil || duration <= 0 {
 		duration = 12 * time.Hour
 	}
 	return duration

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ import (`
`26`	`26`	`// GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 12h)`
`27`	`27`	`func GetConsoleSTSDuration() time.Duration {`
`28`	`28`	`duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "12h"))`
`29`		`- if err != nil {`
	`29`	`+ if err != nil \|\| duration <= 0 {`
`30`	`30`	`duration = 12 * time.Hour`
`31`	`31`	`}`
`32`	`32`	`return duration`