authentication config: add optional max_validity_time, skew

The Zuul admin can configure authenticators with an optional "max_validity_time" field, which is the maximum age in seconds for a valid authentication token. By default there is no maximum age set for tokens, except the one deduced from the token's "exp" claim. If "max_validity" is set, tokens without an "iat" claim will be rejected. This is meant as an extra security to avoid accidentally issueing very long lived tokens through the CLI. The "skew" field can be used to mitigate clocks discrepancies between Zuul and a JWT emitter. Change-Id: I9351ca016b60050b5f3b3950b840d5f719e919ce
author: Matthieu Huin <mhuin@redhat.com> 2019-03-11 11:18:48 +0100
committer: Matthieu Huin <mhuin@redhat.com> 2019-12-10 16:39:29 +0100
commit: b599c7249d495389cf4519e8e69ac3141c94ad5e (patch)
tree: 077e3bff4fca0aaa281f01e6773c63a31db26d93 /etc
parent: a0015014c94b4b8a51327cfdbb737eb7fed5b659 (diff)
download: zuul-b599c7249d495389cf4519e8e69ac3141c94ad5e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/zuul.conf-sample b/etc/zuul.conf-sample
index c0916c6c4..dd1d37e5a 100644
--- a/etc/zuul.conf-sample
+++ b/etc/zuul.conf-sample
@@ -52,6 +52,8 @@ default=true
 client_id=zuul.example.com
 issuer_id=zuul_operator
 secret=NoDanaOnlyZuul
+max_validity_time=36000
+skew=0
 
 [connection gerrit]
 driver=gerrit
author	Matthieu Huin <mhuin@redhat.com>	2019-03-11 11:18:48 +0100
committer	Matthieu Huin <mhuin@redhat.com>	2019-12-10 16:39:29 +0100
commit	b599c7249d495389cf4519e8e69ac3141c94ad5e (patch)
tree	077e3bff4fca0aaa281f01e6773c63a31db26d93 /etc
parent	a0015014c94b4b8a51327cfdbb737eb7fed5b659 (diff)
download	zuul-b599c7249d495389cf4519e8e69ac3141c94ad5e.tar.gz