From db1ad2de95b86fd5958554709bb4e5ddcd12f78b Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Wed, 2 Oct 2019 13:35:23 -0400 Subject: [PATCH 1/3] Set REFRESH_TOKEN_EXPIRE_SECONDS - Set OAUTH2 REFRESH_TOKEN_EXPIRE_SECONDS to 1 month (2628000 seconds) - If not set, awx-manage cleartokens, or cleanup_tokens, will not work properly - Once cleartokens is run, this setting is the amount of time after an access token expires that we keep its refresh token in the database --- awx/settings/defaults.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index f81b97a325..a2b1e9926b 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -338,7 +338,8 @@ OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = 'main.OAuth2AccessToken' OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = 'oauth2_provider.RefreshToken' OAUTH2_PROVIDER = {'ACCESS_TOKEN_EXPIRE_SECONDS': 31536000000, - 'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600} + 'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600, + 'REFRESH_TOKEN_EXPIRE_SECONDS': 2628000} ALLOW_OAUTH2_FOR_EXTERNAL_USERS = False # LDAP server (default to None to skip using LDAP authentication). From 8b22c86b10873316f439fd84ea67639286cc1ff2 Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Wed, 2 Oct 2019 15:29:45 -0400 Subject: [PATCH 2/3] Register default settings for OAUTH2_PROVIDER app Grab AUTHORIZATION_CODE_EXPIRE_SECONDS from oauth2_settings rather than hard code. Add REFRESH_TOKEN_EXPIRE_SECONDS to valid_key_names in OAuth2ProviderField class --- awx/api/conf.py | 3 ++- awx/api/fields.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/awx/api/conf.py b/awx/api/conf.py index 27f255c68b..c4a4ea1f5b 100644 --- a/awx/api/conf.py +++ b/awx/api/conf.py @@ -38,7 +38,8 @@ register( 'OAUTH2_PROVIDER', field_class=OAuth2ProviderField, default={'ACCESS_TOKEN_EXPIRE_SECONDS': oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS, - 'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600}, + 'AUTHORIZATION_CODE_EXPIRE_SECONDS': oauth2_settings.AUTHORIZATION_CODE_EXPIRE_SECONDS, + 'REFRESH_TOKEN_EXPIRE_SECONDS': oauth2_settings.REFRESH_TOKEN_EXPIRE_SECONDS}, label=_('OAuth 2 Timeout Settings'), help_text=_('Dictionary for customizing OAuth 2 timeouts, available items are ' '`ACCESS_TOKEN_EXPIRE_SECONDS`, the duration of access tokens in the number ' diff --git a/awx/api/fields.py b/awx/api/fields.py index 3197e80c55..ace0667a9a 100644 --- a/awx/api/fields.py +++ b/awx/api/fields.py @@ -80,7 +80,7 @@ class OAuth2ProviderField(fields.DictField): default_error_messages = { 'invalid_key_names': _('Invalid key names: {invalid_key_names}'), } - valid_key_names = {'ACCESS_TOKEN_EXPIRE_SECONDS', 'AUTHORIZATION_CODE_EXPIRE_SECONDS'} + valid_key_names = {'ACCESS_TOKEN_EXPIRE_SECONDS', 'AUTHORIZATION_CODE_EXPIRE_SECONDS', 'REFRESH_TOKEN_EXPIRE_SECONDS'} child = fields.IntegerField(min_value=1) def to_internal_value(self, data): From bbd625f3aadf9ce692a3ee8aaf65b8c573a7858b Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Wed, 2 Oct 2019 17:16:01 -0400 Subject: [PATCH 3/3] update help_text to include information about REFRESH_TOKEN_EXPIRE_SECONDS --- awx/api/conf.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/awx/api/conf.py b/awx/api/conf.py index c4a4ea1f5b..688aad162f 100644 --- a/awx/api/conf.py +++ b/awx/api/conf.py @@ -43,8 +43,10 @@ register( label=_('OAuth 2 Timeout Settings'), help_text=_('Dictionary for customizing OAuth 2 timeouts, available items are ' '`ACCESS_TOKEN_EXPIRE_SECONDS`, the duration of access tokens in the number ' - 'of seconds, and `AUTHORIZATION_CODE_EXPIRE_SECONDS`, the duration of ' - 'authorization codes in the number of seconds.'), + 'of seconds, `AUTHORIZATION_CODE_EXPIRE_SECONDS`, the duration of ' + 'authorization codes in the number of seconds, and `REFRESH_TOKEN_EXPIRE_SECONDS`, ' + 'the duration of refresh tokens, after expired access tokens, ' + 'in the number of seconds.'), category=_('Authentication'), category_slug='authentication', )