Allow configuring max age and expiry notifications for login tokens #28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
herglotzmarco
commented
Jan 8, 2025
- Trying to enforce maximum security, access tokens should not be valid forever.
- It is possible to implement automatic token rotation by directly accessing the REST service similar to what the UI does.
- Enabling max token age invalidation (which is optional and off by default for backwards compatibility) means a lot more invalidation happen.
- To help users troubleshoot 401 errors when contacting nexus, a possibility to notify users via email when their tokens expire was introduced.
- This is entirely optional and will only work if Nexus has a mail server configured via default Sonatype means.
- Leveraging OAuth2 Proxys behaviour and correct reverse proxy configuration, this allows to use API tokens like OIDC access tokens with very limited lifespan, where renewing the API token requires full OIDC login, potentially including 2FA, Passkeys or whatever login method is configured.
- If everything is configured correctly, it is not possible to renew the API token with an existing API token, but only with full OAuth2 Proxy login, further strengthening security
- Trying to enforce maximum security, access tokens should not be valid forever. - It is possible to implement automatic token rotation by directly accessing the REST service similar to what the UI does. - Enabling max token age invalidation (which is optional and off by default for backwards compatibility) means a lot more invalidation happen. - To help users troubleshoot 401 errors when contacting nexus, a possibility to notify users via email when their tokens expire was introduced. - This is entirely optional and will only work if Nexus has a mail server configured via default Sonatype means. - Leveraging OAuth2 Proxys behaviour and correct reverse proxy configuration, this allows to use API tokens like OIDC access tokens with very limited lifespan, where renewing the API token requires full OIDC login, potentially including 2FA, Passkeys or whatever login method is configured. - If everything is configured correctly, it is not possible to renew the API token with an existing API token, but only with full OAuth2 Proxy login, further strengthening security
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.