Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add argument for token expiry date #385

Open
4 tasks
gctucker opened this issue Oct 20, 2023 · 7 comments
Open
4 tasks

Add argument for token expiry date #385

gctucker opened this issue Oct 20, 2023 · 7 comments

Comments

@gctucker
Copy link
Contributor

The current /token endpoint does not provide a way for clients to specify the lifetime of the token to be generated. This should be added as a way to override the internal API default expiry value.

  • expiry date / time added to the /token endpoint
  • unit tests updated accordingly
  • end-to-end tests updated accordingly
  • --expiry option added to kci user token and underlying API Python bindings in kernelci-core
@gctucker gctucker changed the title Add query argument for token expiry date Add argument for token expiry date Oct 20, 2023
@JenySadadia
Copy link
Collaborator

With fastapi-users integration, /login endpoint will be used from the package to get access tokens.
The expiry time is configurable for specific authentication backend (JWT in this case) by adding access_token_expiry_seconds in the .env. Please see https://github.com/JenySadadia/kernelci-api/blob/fastapi-users-integration/api/auth.py#L23
It is used when Authentication backend is created with a specified strategy. Please see https://github.com/JenySadadia/kernelci-api/blob/fastapi-users-integration/api/auth.py#L45
I don't think it is possible to modify the expiry time for different requests.

@gctucker
Copy link
Contributor Author

So users won't be able to specify the expiry date when requesting an API token?

@JenySadadia
Copy link
Collaborator

We can try overriding JWTStrategy.write_token function https://github.com/fastapi-users/fastapi-users/blob/master/fastapi_users/authentication/strategy/jwt.py#L59` to make it configurable with each request.

@gctucker
Copy link
Contributor Author

I see, thanks. Also I believe this is not really needed for the production release candidate, unless some users have an issue with token expiry being too short or too long etc.

@nuclearcat
Copy link
Member

Do we have any token revocation mechanism? For example if user exposed token to public and want to cancel it.
I'm not talking we need it right now, but it might be TODO issue that might appear one day and probably good to know at least conceptually how to implement it in short term.

@JenySadadia
Copy link
Collaborator

Do we have any token revocation mechanism? For example if user exposed token to public and want to cancel it. I'm not talking we need it right now, but it might be TODO issue that might appear one day and probably good to know at least conceptually how to implement it in short term.

We are using JWT tokens and they can not be revoked on demand from the server side. It purely works on expiry time.
Maybe we can have something to blacklist tokens if required.

@nuclearcat
Copy link
Member

Great idea, so i think in case someone request such feature - we will go over blacklist way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nuclearcat @gctucker @JenySadadia