Review the OpenSRP 2 access token expiry period #2886
Replies: 5 comments
-
I think (1) is sufficient, this is a common pattern among many apps
…On Sun, Sep 17, 2023 at 6:17 PM Benjamin Mwalimu ***@***.***> wrote:
Assigned #2766 <#2766> to @pld
<https://github.com/pld>.
—
Reply to this email directly, view it on GitHub
<#2766 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAMMES6HIHZKRSYSCMHKCLX25ZILANCNFSM6AAAAAA434O7PQ>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
We tested several options for the three token times in Keycloak and we determined that setting them depending on the project requirements can work with the impending security risk if they are longer than usual.
All the above are applicable if the device remains online, while offline the device defaults to PIN every other time, and only returns to login in the condition that the above timelines are met and the device is online |
Beta Was this translation helpful? Give feedback.
-
Thanks Ben for creating this issue and Peter and Ager for the additional inputs. I also agree with taking a balanced approach and think we should work with implementing partners to train/build capacity of users to remember their own usernames and passwords. Catering for a situation where a user never has to remember their username and password is on the extreme end, and most digital health applications require users to remember a password. While there are risks with this due to literacy and competency levels of some CHWs, and inconveniences for our implementing partners, we can't overcompensate and shift too much of the risk to Ona. |
Beta Was this translation helpful? Give feedback.
-
Seems like PIN authentication is not provided out of the box by Keycloak. It however does provide a way to extend its functionality by implementing our own Service Provider Interface to create a Keycloak Extension. The implication of this is of course that we will have to maintain custom Keycloak code. Anyone deploying Keycloak (and requires this type of PIN authentication) will need to include our custom code (in form of a Jar). We may have to always ensure the extension works across different Keycloak versions and/or document which versions of Keycloak we support incase of migrations/upgrades. On the brighter side, we wont be maintaining a fully fledged fork of Keycloak. Resources |
Beta Was this translation helpful? Give feedback.
-
Cool, this seems like a reasonable roadmap backlog issue, I'm not sure what other apps do here, is it common or are there widely used examples of PIN being used for remote auth vs only local unlock? I've always assumed it was just local unlock but I've never looked into it |
Beta Was this translation helpful? Give feedback.
-
Request Description
Expected Outcome
Current Options
Beta Was this translation helpful? Give feedback.
All reactions