diff options
author | Matthieu Huin <mhuin@redhat.com> | 2019-03-11 11:18:48 +0100 |
---|---|---|
committer | Matthieu Huin <mhuin@redhat.com> | 2019-12-10 16:39:29 +0100 |
commit | b599c7249d495389cf4519e8e69ac3141c94ad5e (patch) | |
tree | 077e3bff4fca0aaa281f01e6773c63a31db26d93 /etc | |
parent | a0015014c94b4b8a51327cfdbb737eb7fed5b659 (diff) | |
download | zuul-b599c7249d495389cf4519e8e69ac3141c94ad5e.tar.gz |
authentication config: add optional max_validity_time, skew
The Zuul admin can configure authenticators with an optional
"max_validity_time" field, which is the maximum age in seconds
for a valid authentication token. By default there is no
maximum age set for tokens, except the one deduced from
the token's "exp" claim.
If "max_validity" is set, tokens without an "iat" claim will
be rejected.
This is meant as an extra security to avoid accidentally issueing
very long lived tokens through the CLI.
The "skew" field can be used to mitigate clocks discrepancies
between Zuul and a JWT emitter.
Change-Id: I9351ca016b60050b5f3b3950b840d5f719e919ce
Diffstat (limited to 'etc')
-rw-r--r-- | etc/zuul.conf-sample | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/zuul.conf-sample b/etc/zuul.conf-sample index c0916c6c4..dd1d37e5a 100644 --- a/etc/zuul.conf-sample +++ b/etc/zuul.conf-sample @@ -52,6 +52,8 @@ default=true client_id=zuul.example.com issuer_id=zuul_operator secret=NoDanaOnlyZuul +max_validity_time=36000 +skew=0 [connection gerrit] driver=gerrit |