Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ActiveDirectoryIdentityProvider user session expire time #2104

Open
hatsnal opened this issue Nov 8, 2024 · 1 comment
Open

ActiveDirectoryIdentityProvider user session expire time #2104

hatsnal opened this issue Nov 8, 2024 · 1 comment

Comments

@hatsnal
Copy link

hatsnal commented Nov 8, 2024

What happened?

Hello everyone! I have set up an ActiveDirectoryIdentityProvider. After a while (about 8 hours), the user is prompted to re-enter their login and password. How can I increase this interval? I couldn't find anything related to this in the documentation or CSR.

What else is there to know about this bug?

@cfryanr
Copy link
Member

cfryanr commented Nov 8, 2024

Hi @hatsnal, the maximum length of a user's session length is not configurable at this time.

For OIDCIdentityProvider, you can decrease the length of your users' sessions by changing the lifetime of the refresh tokens that are returned from your OIDC identity provider in its settings for the client that you created for the Pinniped Supervisor to use. But you cannot increase the hardcoded session maximum length of 9 hours at this time. Also, the Supervisor will perform frequent refreshes with the OIDC identity provider for active users during their session, and if the refresh fails then the user's Supervisor session ends immediately E.g. if the user's account was locked. Group memberships can also be updated during these refreshes. GitHubIdentityProvider works in a similar way.

For LDAPIdentityProvider and ActiveDirectoryIdentity provider, since there is no concept of a "session" in the LDAP server, the maximum session length always applies and currently cannot be shortened or extended. Also, the Supervisor will perform frequent refreshes during an active user's session with the LDAP or AD server to check if the user's account has been locked, removed, etc., which will cause the user's Supervisor session to end immediately. Group memberships can also be updated during these refreshes.

Note that a user can avoid the username and password prompts by setting their username and password into environment variables. This can be useful for long-running jobs or CI scripts, for example. This will skip the prompts and automatically re-authenticate the user after their session has expired. See https://pinniped.dev/docs/howto/cicd/ for more information about that.

Were you hoping to make the user sessions shorter or longer? We would be interested to learn more about your use case. It would be possible to make the max session length configurable, but we haven't implemented such a feature yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants