<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 25 January 2016 at 09:54, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Not sure about that. IMO seconds are
good to have more fine grained timeout values. For example in some
deployment the "Access token timeout" value 1 minute might be too
short, but 2 minutes are too long, so they prefer to use 90
seconds as compromise.<br></div></div></blockquote><div><br></div><div>I disagree, I really don't see anyone needing to set timeouts in second granularity,</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
<br>
Also seconds are good for development. For example, I am sometimes
using seconds for testing (IE. setting timeout to 10 seconds to
quickly enforce refresh etc)<br>
<br>
Skip seconds to address KEYCLOAK-1341 looks to me like workaround
rather than real solution. The question is if we should address
KEYCLOAK-1341 at all? There are probably many possibilities how
can admin breaks the login to admin console itself or break the
keycloak entirely. Few examples, which come to my mind (there are
likely much more):<br>
- Delete or disable security-admin-console client<br></div></div></blockquote><div><br></div><div>We're going to prevent users from deleting internal clients and roles, so that won't be a problem anymore</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
- delete or disable himself<br></div></div></blockquote><div><br></div><div>Can be recovered by adding new user using add-user script</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
- remove roles from himself<br></div></div></blockquote><div><br></div><div>Same as above</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
- remove scopes from security-admin-console client<br></div></div></blockquote><div><br></div><div>We haven't covered that one</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
- configure authentication flow in some way that it's not possible
login anymore<br></div></div></blockquote><div><br></div><div>Not covered either</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
- Timeouts<br>
<br>
I don't think that we should try to prevent all of these
situations. I didn't see any real support questions related to
this. And for example in linux if you do "rm -rf /home" the system
is broken as well. Isn't this kind of similar? IMO admins should
do backup of database, so they can revert if they accidentally
mis-configure things.<br></div></div></blockquote><div><br></div><div>What you are saying makes no sense whatsoever. It's like saying validation in user interfaces is a waste of time.</div><div><br></div><div>Validation in user interfaces are there to help people, and to prevent people doing things that will screw things up. This is an really good example of where lack of validation on inputs allows users to set stupid values. 1 second timeouts never makes any sense, so why should we let users set it. It could also be a mistake as someone wanted to set 1 minute, but selected second by mistake.</div><div><br></div><div>Arguing against preventing people from screwing things up for themselves by coming with another example where they can screw things up is just not good argumentation. We should do as much as we can, and in this case it's a very simple fix that could prevent a rather annoying issue.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
<br>
Marek<span class=""><br>
<br>
On 21/01/16 20:45, Stian Thorgersen wrote:<br>
</span></div>
<blockquote type="cite"><span class="">
<div dir="ltr">Do we need to have seconds at all for token
timeouts? Removing seconds from token would make it simpler, but
also make sure no one sets timeouts that are to short (see <a href="https://issues.jboss.org/browse/KEYCLOAK-1341" target="_blank"></a><a href="https://issues.jboss.org/browse/KEYCLOAK-1341" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1341</a>)</div>
<br>
<fieldset></fieldset>
<br>
</span><pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div>