Feature Request - Force logout after few hours


#1

I use GitHub OAuth to authenticate to Concourse UI which works but not sure when the session is invalidated.

For security reasons, I think it would be a good idea to force log out after a couple of hours.

What do you guys think?

Also, pls let me know the best place to raise issues and feature requests. Is it this forum or GitHub?


#2

Not all concourse options are documented, a good idea is to have a look at the output of concourse web -h, I often discover hidden gems :slight_smile:

For your question, you can use the --auth-duration option to set the duration to the time you prefer:

Length of time for which tokens are valid. Afterwards, users will have to log back in.
(default: 24h) [$CONCOURSE_AUTH_DURATION]

#3

Nice 1 @marco-m - thank you. Good info to have. I’m curious. Consider the scenario where one have a screen in the office whereon the ConcourseCI web-ui is being displayed. A user with low privileges is logged in … if you want only this user not to be logged out after 24h. Is this possible?

Thank you.


#4

This is not currently possible, the session duration is global.

Concourse 5.x (unreleased) has RBAC support (see https://medium.com/concourse-ci/concourse-rbac-preview-8e07616ddc47), but I don’t know if it will allow different login duration depending on the role, say read-only. This would be a good feature request actually.

A workaround, assuming that either you can afford to make your pipeline public or your Concourse web is accessible only from selected IP addresses, is to use fly expose-pipeline, which makes the pipeline viewable by unauthenticated users (but not the build logs). You can also consult the documentation for public https://concourse-ci.org/jobs.html#job-public, but be careful about the implications (if the logs contain secrets…).