Comments (3)
Just to confirm -- as this may have chanced since the initial issue was file -- group membership (or lack there of) will be updated along with the session for most identity providers. The session expiration is usually set by the upstream identity provider (usually ~1-3 hours) and pomerium tries to renew the token at roughly half that (COOKIE_REFRESH
defaults to 30 minutes). That said, you could shorten the refresh period and depending on how many users you are supporting it could be fine.
It's a tradeoff between accidentally DDOS'ing ourselves and the identity provider (which have strict query limits ) and making sure the user is not carrying stale credentials.
from pomerium.
@desimone Thanks for the explanation.
When I wrote this issue, I was (maybe incorrectly) expecting that adding a user to a group would be taken into account without any delay, while it seemed perfectly normal that removing a user for a group would take some time to be taken into account.
I see from your explanation that both are handled in the same way.
I'm not sure what is possible to improve the user experience though… I worry that if one of my user tells me that he needs to access an app and that I add him to a group, then he has to wait at most 15mn and be unhappy :)
from pomerium.
It's not an ideal situation. I'd like to have a "recheck my access" button, especially on the unauthorized access user page.
I looked (indeed, it's still commented out in the code) at adding a refresh endpoint which would force a user/group session update. But without a backoff interval / rate limiting, a user ( either accidentally or maliciously) could DOS the identity provider and cause you to unexpectedly hit your IdP's QPS limits.
The problem is tracking user state (in this case, how much has bob@company been hitting that refresh button) is challenging because we don't have a backend datastore that can be queried across potentially many pomerium instances. State is currently tracked in the user session.
For the purpose of access, If the user clears their session, no big deal, we require a re-authentication.
However, tracking state of how often a user has hit refresh gets tricky because if they clear their session, we no longer know the last time they hit refresh and we can't rate limit effectively.
A option could be to allow refreshing for users that have been logged in for at least some interval (say ~5 minutes) and also track last refresh timestamp in the session.
So basically ...
IF (user-state is at least X minutes old) AND (user-state.last-refresh is null OR user-state.last-refresh >= X minutes ago)
ALLOW REFRESH
ELSE
DENY REFRESH
Could work?
from pomerium.
Related Issues (20)
- core/config: support direct response HOT 2
- cli reuse port HOT 2
- Path rewriting not working as expected HOT 2
- Add the ability to set the envoy healthy_panic_threshold for an upstream/cluster HOT 3
- Match on header
- docs: Kubernetes supports the headers.{CustomHeaderName} field
- envoy: upgrade to 1.29.2
- core/config: should quit with error on unknown config options HOT 1
- Enhanced Troubleshooting Capabilities for Request and Response Lifecycle
- Integration Test instructions in README are wrong HOT 7
- Add ability to enable TLS Key logging HOT 2
- build-dev-docker.bash script fails on non-Linux when GOBIN is set HOT 1
- Pomerium loops re-reading configuration from CloudRun mounted Secret HOT 2
- Support Regex based host/path rewrites HOT 4
- Support Device authorization flow for programmatic access
- Generate Pomerium-Desktop config by reading pomerium core config HOT 1
- core/kubernetes: user with no groups denied access HOT 1
- Refactor autocert test setup to be clearer
- Two Person Integrity HOT 2
- how to config cert? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pomerium.