Token expiration fixed at 30 days?

[Goepfie]

Hi,

first off, thank you for your work!

I am having an issue with tokens expiring. Access-Tokens issued seem to be expiring after 30 days? Or in my case sometimes on server reboot (with redis and persistence configured), which might also just be coincidential with my monthly maintenance.

Npmjs and Verdaccio don't expire auth-tokens on default. It seems reasonable that the oidc access and refresh tokens expire as set by the oidc provider, but I would expect the actual npm auth-tokens to (not) expire and respect config set by verdaccio:

Verdaccio Config - Expiring Tokens

In my use case, I have a build server that I don't want to relogin every month. I double checked my server configs and everyhting seems to be in order. Also 30 days seems arbitrary. My keycloak config is set to expire logins after 1 day, refresh for 2 day and offline access for a week.

[aikoven]

Hey,

You're right, OIDC token expiration is configured on the OIDC provider's side. However, for Keycloak it may not be too obvious, see https://stackoverflow.com/a/67624190/829064.

From the point of view of this plugin, OIDC session lifetime is arbitrary, so the best it can do is try to refresh the OIDC session during NPM request using refresh token. If the refresh token expired, we reject authentication.

So we usually set the lifespan of refresh token to something like 30 days, and access token to something short, like 15 minutes. This way, we won't log the user out even if they go on a vacation for 2 weeks, but we will log them out pretty quickly if we delete them from Keycloak.

But there's more to it. To be able to refresh the OIDC session, we store it in Redis and set the TTL for it. If Verdaccio is configured with legacy tokens, the TTL is 30 days, but for JWT tokens it is set based on configured JWT expiration:

verdaccio-openid-connect/src/index.ts

Lines 105 to 109 in 37436ec

	const sessionTtl =
	options.config.security?.api?.jwt?.sign?.expiresIn || '1h';
	this.sessionTtl = Number.isNaN(+sessionTtl)
	? ms(sessionTtl)
	: +sessionTtl;

We might set the wrong default for it. It's not clear from Verdaccio docs nor sources what the default expiration time is. If it's never, then we should make a fix in the plugin.

[aikoven]

It seems from Verdaccio source that the default expiration is never, and for web tokens is 7 days.

Just published 📦 [email protected] with the fix, please try it out.

[aikoven]

We might also consider exposing the Redis TTL configuration. But in reality it should only affect maximum inactivity time. If a user is active at least once every 30 days, they should not be logged out.

[Goepfie]

Thanks for getting back to me so quickly and in such depth!

I will have to rethink some of my security config and will take in mind the links you provided. Even though a fast key timeout might not be as big an issue for my operation.

I've updated to the new release last week and will test reboot and lifetime during maintenance today/tomorrow.

The thing is, the build server does daily operations and is set to always-auth at the package manager, however that keycloak bot user almost never logs in on keycloak itself.