I did some testing, in the past, with Google OIDC. It's quite easy to integrate with, so I created a test page that is configured to only allow my login
AuthType openid-connect
Require user sweharris@gmail.com
And this worked quite well. If you try to access the page you'll get a login prompt ("what google account do you want to use").
The problem...
Hello Stephen Harris (sweharris@gmail.com)
Your claim was issued at Wed Apr 6 21:24:36 EDT 2022
Your claim will expire at Wed Apr 6 22:24:36 EDT 2022
Your access token expires at Wed Apr 6 22:24:35 EDT 2022
Activity in my logs will show as user sweharris@gmail.com
(All this information is magically handled by the apache OIDC module).
So we can see that the Google claims last 1 hour. That would seem reasonable, except regulatory environments such as PCI may require "15 minute idle expiration" (PCI 8.1.8, from memory).
If we do a session expiration within the claim period and force a redirect to the login page then google will automatically create a new token. You don't effectively have a session expiration 'cos there's no new authentication event (the user doesn't get asked for credentials or to approve session continuation).
There _is_ a logout URL... but that logs you out of Google, globally!
I've seen smaller credit unions use 3rd party OIDC providers that set a 12hr token. I can not see how this can possibly be PCI compliant.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Bearer tokens are just awful
Date: 2022-04-07 01:36 am (UTC)I did some testing, in the past, with Google OIDC. It's quite easy to integrate with, so I created a test page that is configured to only allow my login
And this worked quite well. If you try to access the page you'll get a login prompt ("what google account do you want to use").
The problem...
(All this information is magically handled by the apache OIDC module).
So we can see that the Google claims last 1 hour. That would seem reasonable, except regulatory environments such as PCI may require "15 minute idle expiration" (PCI 8.1.8, from memory).
If we do a session expiration within the claim period and force a redirect to the login page then google will automatically create a new token. You don't effectively have a session expiration 'cos there's no new authentication event (the user doesn't get asked for credentials or to approve session continuation).
There _is_ a logout URL... but that logs you out of Google, globally!
I've seen smaller credit unions use 3rd party OIDC providers that set a 12hr token. I can not see how this can possibly be PCI compliant.