From af0a81b5200b6d7fbd063dfbf5af60508e6efc08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 6 Nov 2024 17:16:15 +0100 Subject: [PATCH 1/5] RHIDP-4684 Update Keycloak configuration instructions to improve performance and security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../proc-enabling-authentication-with-rhsso.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index c8850771a1..f654b43a21 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -23,6 +23,11 @@ Save the value for the next step: * **Client ID** * **Client Secret** +.. Configure your {rhsso} realm for performance and security: +... Navigate to the **Configure > Realm Settings**. +... Set the **Access Token Lifespan** to a value greater than 5 min (ideally 10 or 15 minutes) to avoid performance issue caused by unnecessary refresh token requests sent for every API call. +... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. + .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps. . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs: From 0ab28cbbe4d8032cf69f16f38fac941a93bc6107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 6 Nov 2024 17:34:05 +0100 Subject: [PATCH 2/5] RHIDP-4684 Update Keycloak configuration instructions to improve performance and security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../proc-enabling-authentication-with-rhsso.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index f654b43a21..bff3604533 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -168,6 +168,20 @@ auth: ---- -- +`auth.backstageTokenExpiration`:: +-- +To change {product-short} token expiration from the default value of one hour. +Note that this is not the session duration, but rather the duration that the short-term cryptographic tokens are valid for. +You cannot set the expiration value lower than 10 minutes or above 24 hours. + +.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field +[source,yaml,subs="+quotes"] +---- +auth: + backstageTokenExpiration: { minutes: __ } +---- +-- + -- .Verification From f39cfd9686ee976c6a0175872269fe9f011bc292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:12:21 +0100 Subject: [PATCH 3/5] Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../authentication/proc-enabling-authentication-with-rhsso.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index bff3604533..f73e0ae5b2 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -25,7 +25,7 @@ Save the value for the next step: .. Configure your {rhsso} realm for performance and security: ... Navigate to the **Configure > Realm Settings**. -... Set the **Access Token Lifespan** to a value greater than 5 min (ideally 10 or 15 minutes) to avoid performance issue caused by unnecessary refresh token requests sent for every API call. +... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call. ... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps. From 1f3923232b96cb3896c9300c3c061f7510282484 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:12:29 +0100 Subject: [PATCH 4/5] Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../authentication/proc-enabling-authentication-with-rhsso.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index f73e0ae5b2..8a5b620be4 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -24,7 +24,7 @@ Save the value for the next step: * **Client Secret** .. Configure your {rhsso} realm for performance and security: -... Navigate to the **Configure > Realm Settings**. +... Navigate to the **Configure** > **Realm Settings**. ... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call. ... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. From e1947959a7395a71b47a2b82601982b82778ef83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 7 Nov 2024 10:13:15 +0100 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../proc-enabling-authentication-with-rhsso.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index 8a5b620be4..4f8d17d46d 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -170,9 +170,7 @@ auth: `auth.backstageTokenExpiration`:: -- -To change {product-short} token expiration from the default value of one hour. -Note that this is not the session duration, but rather the duration that the short-term cryptographic tokens are valid for. -You cannot set the expiration value lower than 10 minutes or above 24 hours. +To modify the {product-short} token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours. .`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field [source,yaml,subs="+quotes"]