Force re-authentication after N days?

(Avi Flax) #1

I’m using the OAuth2 plugin on my hosted site, so my co-workers can log in with Box. The main goal is to avoid having yet another credential to manage. Part of that is a requirement that if someone leaves and we deactivate their Box account, we don’t want them to be able to access our Discourse site anymore. I looked around the admin area but didn’t see a setting to force re-authentication after N days… is there something like that and maybe I’m just missing it? If not, then please consider this a feature request. Without it, I’ll have to add Discourse to our checklist of things to do when employees leave, which is getting quite long…

(Avi Flax) #2

Seems somewhat related to this thread: Session Timeout.

(Rafael dos Santos Silva) #3

The cookie having Expires: Session will re-auth on the SSO endpoint every time the browser is closed and reopened*. I think this will sort it.

* Except sneaky chrome

(Avi Flax) #4

@Falco thanks for the quick reply!

I’m not sure that applies in my case, as I’m not sure I’m using SSO? I’m using OAuth2. They’re different, right?

Even if I am using SSO, lots of folks use Chrome so unfortunately relying on that mechanism wouldn’t suffice.

(Rafael dos Santos Silva) #5

The mechanism will work independently of authentication method. Just said SSO to illustrate my use case.

(Avi Flax) #6

Ah, OK, thanks for clarifying!

So is that header sent by default in all configurations? Or do I need to do something to turn it on?

And… is there anything I can do about Chrome?

(Rafael dos Santos Silva) #7

It isn’t possible atm.

I’m looking to create the setting sometime in the next month.

And Chrome keeps the app running on the background on desktop, but nothing we can do about it. Except using a fixed time (like 30 minutes) but that’s bad for other reasons.

(Avi Flax) #8

Ah, I see — thanks for clarifying!

An alternative approach that should work on all browsers and might be less annoying for users would be to keep track of the last time a user logged in, and on every page access compute how long ago that was, and if it’s greater than N {days,hours}, then force them to re-authenticate.

And of course N should be configurable; security and user annoyance would both have an inverse relationship to the size of the value.

Google does this with my Google Apps accounts (with 2FA enabled) — they force me to re-authenticate once a month, but it’s pretty smooth.

(Jay Pfaffman) #9

If what you want is for people that you have deactivated to be, well, deactivated, you could deactivate their Discourse account or force browser refresh via the API. It probably wouldn’t be that hard to add such a call to your deactivation script at Box.

(Avi Flax) #10

Thanks, but we’re not using a script. We’re manually deactivating the users when they leave the company. My hope is that we can set things up such that we wouldn’t have to do anything else; simply by dint of the Box account being deactivated, a user would lose their access to Discourse shortly thereafter.