Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Okta auth backend doesn't respect its own max_ttl #4110

Closed
white-glider opened this issue Mar 8, 2018 · 1 comment
Closed

Okta auth backend doesn't respect its own max_ttl #4110

white-glider opened this issue Mar 8, 2018 · 1 comment
Milestone
0.9.6

Comments

@white-glider
Copy link

Environment:

  • Vault Version: 0.9.5
  • Operating System/Architecture: linux_amd64

Vault Config File:

storage "file" {
  path = "/opt/vault/storage"
}
listener "tcp" {
  address         = "0.0.0.0:8200"
  tls_cert_file   = "/opt/vault/config/vault.crt"
  tls_key_file    = "/opt/vault/config/vault.key"
}

Startup Log Output:

==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: file
                 Version: Vault v0.9.5
             Version Sha: 36edb4d42380d89a897e7f633046423240b710d9

==> Vault server started! Log data will stream in below:

Expected Behavior:

After enabling and configuring Okta auth backend with max_ttl different than zero, without changing the default_lease_ttl and the max_lease_ttl, any successfully authenticated user should get a token with a duration <= max_ttl.

Actual Behavior:

Successfully authenticated users get a token with duration = 768h, although Okta backend was configured with max_ttl=1h.

Steps to Reproduce:

  1. Enable Okta auth backend
  2. Configure Okta auth backend with max_ttl=1h
  3. Authenticate to Vault through Okta
  4. Look for the token_duration line in Vault's output

Important Factoids:

If Okta auth backend is configured with both max_ttl=1h and ttl=1h then token's duration is limited to 1h.
jefferai added a commit that referenced this issue Mar 8, 2018
@jefferai
Have Okta respect its set max_ttl.
ca079f9 
Fixes #4110
@jefferai jefferai added this to the 0.9.6 milestone Mar 8, 2018
@jefferai jefferai mentioned this issue Mar 8, 2018
Merged
jefferai added a commit that referenced this issue Mar 13, 2018
@jefferai
Have Okta respect its set max_ttl. (#4111)
b3c9358 
Fixes #4110
@white-glider
Copy link
Author

After b3c9358 now Okta respects max_ttl=1h, but I get the following weird warning after a successful login (using Vault 0.9.6):

WARNING! The following warnings were returned from Vault:

  * Effective TTL of '1h0m0s' exceeded the effective max_ttl of '1h0m0s'; TTL
  value is capped accordingly

Configuration is still the same like explained in the ticket, i.e.:

$ vault read auth/okta/config
Key                Value
---                -----
bypass_okta_mfa    false
max_ttl            3600
org_name           whatever
organization       whatever
ttl                0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.9.6
Development

No branches or pull requests
2 participants
@jefferai @white-glider