Configure OAuth clients so that tokens have a maximum age set
An XCCDF Rule
Description
You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds).
The maximum age can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.
To set the OAuth client token max age, edit the OAuth client
object: oc edit oauthclient $clientname
and set the top-level accessTokenMaxAgeSeconds
attribute.
apiVersion: oauth.openshift.io/v1 grantMethod: auto kind: OAuthClient metadata: ... accessTokenMaxAgeSeconds: 28800For more information on configuring the OAuth clients, consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.7/authentication/configuring-internal-oauth.html
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the
/apis/oauth.openshift.io/v1/oauthclients API endpoint to the local Rationale
Setting a token maximum age to a shorter time period reduces the window of opportunity for unauthorized personnel to take control of the session.
- ID
- xccdf_org.ssgproject.content_rule_oauthclient_token_maxage
- Severity
- Medium
- References
- Updated