OIDC : add idlesessionlifetime

InseeFrLab · Mar 3, 2025 · f839fa9 · f839fa9
1 parent 725331b
commit f839fa9
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -72,7 +72,7 @@ Configurable properties :
 | `oidc.public-key` | | Optional: If for some reason you don't want Onyxia-API to bootstrap configuration by requesting the `issuer-uri` then you can manually provide the public key used for validating incoming tokens. |
 | `oidc.extra-query-params` | | Optional : query params to be added by client. e.g : `prompt=consent&kc_idp_hint=google` |
 | `oidc.scope` | `openid profile` | Optional : Specifies the OIDC scopes to be requested by the Onyxia client. `"openid"` is always requested, regardless of this setting. |
-| `oidc.workaroundForGoogleClientSecret` | | For some reasons, Google OAuth requires providing a client secret even for public clients. ⚠️ Use this configuration only if using Google OAuth ! ⚠️ For all other providers you should not have client secret as the Onyxia client is public. Example client secret format: " `GOCSPX-_xxxxxxxxxxxxxxxxxxxxxxxxxxx` |
+| `oidc.idleSessionLifetimeInSeconds` | | Optional: Automatically logs out users after a set period of inactivity. |
 
 ### Security configuration :
 | Key | Default | Description |

diff --git a/onyxia-api/src/main/java/fr/insee/onyxia/api/controller/pub/ConfigurationController.java b/onyxia-api/src/main/java/fr/insee/onyxia/api/controller/pub/ConfigurationController.java
@@ -6,14 +6,15 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.tags.Tag;
-import java.util.List;
-import java.util.Optional;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.info.BuildProperties;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.List;
+import java.util.Optional;
+
 @RestController
 @Tag(name = "Public", description = "Information endpoints")
 @RequestMapping("/public")
@@ -54,8 +55,7 @@ public AppInfo configuration() {
             OIDCConfiguration.setIssuerURI(oidcConfiguration.getIssuerUri());
             OIDCConfiguration.setClientID(oidcConfiguration.getClientID());
             OIDCConfiguration.setExtraQueryParams(oidcConfiguration.getExtraQueryParams());
-            OIDCConfiguration.setWorkaroundForGoogleClientSecret(
-                    oidcConfiguration.getWorkaroundForGoogleClientSecret());
+            OIDCConfiguration.setIdleSessionLifetimeInSeconds(oidcConfiguration.getIdleSessionLifetimeInSeconds());
             OIDCConfiguration.setScope(oidcConfiguration.getScope());
             OIDCConfiguration.setAudience(oidcConfiguration.getAudience());
             appInfo.setOidcConfiguration(OIDCConfiguration);

diff --git a/onyxia-api/src/main/java/fr/insee/onyxia/api/security/OIDCConfiguration.java b/onyxia-api/src/main/java/fr/insee/onyxia/api/security/OIDCConfiguration.java
@@ -1,21 +1,9 @@
 package fr.insee.onyxia.api.security;
 
-import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
-
 import fr.insee.onyxia.api.services.UserProvider;
 import fr.insee.onyxia.api.services.utils.HttpRequestUtils;
 import fr.insee.onyxia.model.User;
 import fr.insee.onyxia.model.region.Region;
-import java.security.KeyFactory;
-import java.security.KeyManagementException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.RSAPublicKey;
-import java.security.spec.X509EncodedKeySpec;
-import java.util.Base64;
-import java.util.Collections;
-import java.util.List;
-import javax.net.ssl.SSLContext;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
@@ -60,6 +48,19 @@
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
+import javax.net.ssl.SSLContext;
+import java.security.KeyFactory;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+
+import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
+
 @Configuration
 @ConditionalOnProperty(name = "authentication.mode", havingValue = "openidconnect")
 public class OIDCConfiguration {
@@ -94,8 +95,8 @@ public class OIDCConfiguration {
     @Value("${oidc.scope}")
     private String scope;
 
-    @Value("${oidc.workaroundForGoogleClientSecret}")
-    private String workaroundForGoogleClientSecret;
+    @Value("${oidc.idleSessionLifetimeInSeconds}")
+    private Integer idleSessionLifetimeInSeconds;
 
     private final HttpRequestUtils httpRequestUtils;
 
@@ -288,12 +289,12 @@ public void setScope(String scope) {
         this.scope = scope;
     }
 
-    public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
-        this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+    public void setIdleSessionLifetimeInSeconds(Integer idleSessionLifetimeInSeconds) {
+        this.idleSessionLifetimeInSeconds = idleSessionLifetimeInSeconds;
     }
 
-    public String getWorkaroundForGoogleClientSecret() {
-        return workaroundForGoogleClientSecret;
+    public Integer getIdleSessionLifetimeInSeconds() {
+        return idleSessionLifetimeInSeconds;
     }
 
     @Bean

diff --git a/onyxia-api/src/main/resources/application.properties b/onyxia-api/src/main/resources/application.properties
@@ -11,7 +11,7 @@ oidc.groups-claim=groups
 oidc.roles-claim=roles
 oidc.extra-query-params=
 oidc.scope=openid profile
-oidc.workaroundForGoogleClientSecret=
+oidc.idleSessionLifetimeInSeconds=
 # Catalogs
 catalogs.refresh.ms=300000
 # Security

diff --git a/onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java b/onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java
@@ -787,7 +787,7 @@ public static class OIDCConfiguration {
         private String clientID;
         private String extraQueryParams;
         private String scope;
-        private String workaroundForGoogleClientSecret;
+        private Integer idleSessionLifetimeInSeconds;
 
         private String audience;
 
@@ -815,12 +815,12 @@ public void setExtraQueryParams(String extraQueryParams) {
             this.extraQueryParams = extraQueryParams;
         }
 
-        public String getWorkaroundForGoogleClientSecret() {
-            return workaroundForGoogleClientSecret;
+        public Integer getIdleSessionLifetimeInSeconds() {
+            return idleSessionLifetimeInSeconds;
         }
 
-        public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
-            this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+        public void setIdleSessionLifetimeInSeconds(Integer idleSessionLifetimeInSeconds) {
+            this.idleSessionLifetimeInSeconds = idleSessionLifetimeInSeconds;
         }
 
         public String getScope() {