From c987a9de63bc12b5e87903faa1764df87e146156 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 6 Nov 2024 17:16:15 +0100 Subject: [PATCH 1/5] RHIDP-4684 Update Keycloak configuration instructions to improve performance and security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../proc-enabling-authentication-with-rhsso.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index c8850771a1..f654b43a21 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -23,6 +23,11 @@ Save the value for the next step: * **Client ID** * **Client Secret** +.. Configure your {rhsso} realm for performance and security: +... Navigate to the **Configure > Realm Settings**. +... Set the **Access Token Lifespan** to a value greater than 5 min (ideally 10 or 15 minutes) to avoid performance issue caused by unnecessary refresh token requests sent for every API call. +... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. + .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps. . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs: From f01a2631e0d66ddddac8bcb329740eb7f82b707a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 6 Nov 2024 17:34:05 +0100 Subject: [PATCH 2/5] RHIDP-4684 Update Keycloak configuration instructions to improve performance and security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../proc-enabling-authentication-with-rhsso.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index f654b43a21..bff3604533 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -168,6 +168,20 @@ auth: ---- -- +`auth.backstageTokenExpiration`:: +-- +To change {product-short} token expiration from the default value of one hour. +Note that this is not the session duration, but rather the duration that the short-term cryptographic tokens are valid for. +You cannot set the expiration value lower than 10 minutes or above 24 hours. + +.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field +[source,yaml,subs="+quotes"] +---- +auth: + backstageTokenExpiration: { minutes: __ } +---- +-- + -- .Verification From 324ebdca82f966753154f1de14cc77c78166322c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:12:21 +0100 Subject: [PATCH 3/5] Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../authentication/proc-enabling-authentication-with-rhsso.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index bff3604533..f73e0ae5b2 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -25,7 +25,7 @@ Save the value for the next step: .. Configure your {rhsso} realm for performance and security: ... Navigate to the **Configure > Realm Settings**. -... Set the **Access Token Lifespan** to a value greater than 5 min (ideally 10 or 15 minutes) to avoid performance issue caused by unnecessary refresh token requests sent for every API call. +... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call. ... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps. From 4e9534e1fdfe2060c658f573e37c054a333818ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:12:29 +0100 Subject: [PATCH 4/5] Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../authentication/proc-enabling-authentication-with-rhsso.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index f73e0ae5b2..8a5b620be4 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -24,7 +24,7 @@ Save the value for the next step: * **Client Secret** .. Configure your {rhsso} realm for performance and security: -... Navigate to the **Configure > Realm Settings**. +... Navigate to the **Configure** > **Realm Settings**. ... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call. ... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. From c9ad33209a2c4c0c303949b5ca44f1ace8d99687 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:13:15 +0100 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../proc-enabling-authentication-with-rhsso.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index 8a5b620be4..4f8d17d46d 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -170,9 +170,7 @@ auth: `auth.backstageTokenExpiration`:: -- -To change {product-short} token expiration from the default value of one hour. -Note that this is not the session duration, but rather the duration that the short-term cryptographic tokens are valid for. -You cannot set the expiration value lower than 10 minutes or above 24 hours. +To modify the {product-short} token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours. .`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field [source,yaml,subs="+quotes"]