public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OAuth : Introduce new setting for configuring max age of OAuth state cookie (#23195)

Browse Source 
* Cookie : Increase duration to avoid error

When using oauth2 authentication with multifactor, the 60s delay may be too short

* Introduce new setting for OAuth state cookie max age

Co-authored-by: Sofia Papagiannaki <sofia@grafana.com>
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
This commit is contained in:
rtrompier
2020-03-30 16:44:58 +02:00
committed by GitHub
parent f1548b4b11
commit 474dac1501
5 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
conf/defaults.ini
+3
View File
@@ -298,6 +298,9 @@ signout_redirect_url =
# This setting is ignored if multiple OAuth providers are configured.
oauth_auto_login = false
# OAuth state max age cookie duration. Defaults to 60 seconds.
oauth_state_cookie_max_age = 60
# limit of api_key seconds to live before expiration
api_key_max_seconds_to_live = -1
conf/sample.ini
+3
View File
@@ -297,6 +297,9 @@
# This setting is ignored if multiple OAuth providers are configured.
;oauth_auto_login = false
# OAuth state max age cookie duration. Defaults to 60 seconds.
;oauth_state_cookie_max_age = 60
# limit of api_key seconds to live before expiration
;api_key_max_seconds_to_live = -1
docs/sources/installation/configuration.md
+5
View File
@@ -450,6 +450,11 @@ Text used as placeholder text on login page for password input.
Grafana provides many ways to authenticate users. The docs for authentication has been split in to many different pages
below.
### oauth_state_cookie_max_age
How long the OAuth state cookie lives before being deleted. Default is `60` (seconds)
Administrators can increase it if they experience OAuth login state mismatch errors.
- [Authentication Overview]({{< relref "../auth/overview.md" >}}) (anonymous access options, hide login and more)
- [Google OAuth]({{< relref "../auth/google.md" >}}) (auth.google)
- [GitHub OAuth]({{< relref "../auth/github.md" >}}) (auth.github)
pkg/api/login_oauth.go
+1 -1
View File
@@ -70,7 +70,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *models.ReqContext) {
}
hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
middleware.WriteCookie(ctx.Resp, OauthStateCookieName, hashedState, 60, hs.cookieOptionsFromCfg)
middleware.WriteCookie(ctx.Resp, OauthStateCookieName, hashedState, hs.Cfg.OAuthCookieMaxAge, hs.cookieOptionsFromCfg)
if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
} else {
pkg/setting/setting.go
+4
View File
@@ -268,6 +268,9 @@ type Cfg struct {
LoginMaxLifetimeDays int
TokenRotationIntervalMinutes int
// OAuth
OAuthCookieMaxAge int
// SAML Auth
SAMLEnabled bool
@@ -848,6 +851,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
DisableLoginForm = auth.Key("disable_login_form").MustBool(false)
DisableSignoutMenu = auth.Key("disable_signout_menu").MustBool(false)
OAuthAutoLogin = auth.Key("oauth_auto_login").MustBool(false)
cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(60)
SignoutRedirectUrl, err = valueAsString(auth, "signout_redirect_url", "")
if err != nil {
return err