force close a dex authenticated session #3279
Replies: 1 comment 1 reply
-
|
Usually, the best practice is to minimize the lifetime of the token. The sane expiration period is from 5 to 10 minutes. Kubectl should use a refresh token mechanism to renew the ID token after its expiration. The ID token cannot be changed because it is signed with the Dex keys. This is the only way to propagate new groups. The gRPC API can be used to revoke refresh tokens. See: https://dexidp.io/docs/api/ There is no mechanism to revoke ID tokens because their expiration should happen faster then you decision to revoke a token. |
Beta Was this translation helpful? Give feedback.
-
|
Got it. Thanks! |
Beta Was this translation helpful? Give feedback.
-
we are looking to use dex for aws eks. here, we will have groups with zero memberships. via a JIT access request, people would get added to these groups and when the JIT access request expires, they will be removed.
when removed, how can their existing kubectl session with a valid jwt token be expired? i know one way would be there is id tokens expiry time, but how small can that be? we will have about 1k users in the future looking to access our clusters and google workspace is the idp we plan to use!
also, when added, how can the awareness of new group propogated to the jwt token faster? I know the id tokens expiry time or logout/login would do the trick here!
thanks,
Pankaj
Beta Was this translation helpful? Give feedback.
All reactions