nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-27 10:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

apache: Increase OpenID Connect RP session timeout activity

Browse Source 
Tests:

- Without patch, open FeatherWiki wiki and save after 5 minutes. Save fails.

- Apply the patch, Apache app setup is run and mod_auth_openidc configuration
is updated. Open FeatherWiki wiki and save after 5 minutes. Save works, wiki
contents are saved.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
This commit is contained in:
Sunil Mohan Adapa 2026-03-18 12:35:42 -07:00 committed by Joseph Nuthalapati
parent c66e78c203
commit 9169ef89d9
No known key found for this signature in database
GPG Key ID: 5398F00A2FA43C35
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plinth/modules/apache/__init__.py
View File

@ -86,7 +86,7 @@ class ApacheApp(app_module.App):
app_id = 'apache' app_id = 'apache'
_version = 16 _version = 17
def __init__(self) -> None: def __init__(self) -> None:
"""Create components for the app.""" """Create components for the app."""

31
plinth/modules/apache/privileged.py
View File

@ -237,6 +237,30 @@ def _setup_oidc_config():
Keep the metadata directory and configuration file unreadable by non-admin Keep the metadata directory and configuration file unreadable by non-admin
users since they contain module's crypto secret and OIDC client secret. users since they contain module's crypto secret and OIDC client secret.
# Session management
When apps like Syncthing are protected with mod_auth_openidc, there a
session maintained using server-side session storage and a cookie on the
client side. This session is different from the session managed by the
OpenID Connect Provider (FreedomBox web interface). As long as this session
is valid, no further authentication mechanisms are triggered.
When the session expires, if the request is a GET request (due to page
reload), the browser is redirected to OP, a fresh token is created, and the
page is loaded. However, for POST requests, 401 error is returned and if
the application is unaware, it won't do much about it. So, this
necessitates keeping the session timeout value high.
When logout is performed on FreedomBox web interface, mod_auth_openidc
cookie is also removed and logout feels instantaneous. However, this won't
work for applications not using mod_auth_openidc and for applications
hosted on other domains. A better way to do this is to implement OpenID
Connect's Back-Channel Logout or using OpenID Connect Session Management.
For more about session management see:
https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts and
https://github.com/OpenIDC/mod_auth_openidc/wiki/Session-Management-Settings
""" """
metadata_dir_path.parent.mkdir(mode=0o700, parents=True, exist_ok=True) metadata_dir_path.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
metadata_dir_path.mkdir(mode=0o700, exist_ok=True) metadata_dir_path.mkdir(mode=0o700, exist_ok=True)
@ -259,6 +283,13 @@ def _setup_oidc_config():
OIDCSSLValidateServer Off OIDCSSLValidateServer Off
OIDCProviderMetadataRefreshInterval 86400 OIDCProviderMetadataRefreshInterval 86400
# Expire the mod_auth_openidc session (not the OpenID Conneect Provider
# session) after 10 hours of idle with a maximum session duration equal to
# the expiry time of the ID token (10 hours). This allows applications such
# as FeatherWiki to have long editing sessions before save.
OIDCSessionInactivityTimeout 36000
OIDCSessionMaxDuration 0
# Use relative URL to return to the original domain # Use relative URL to return to the original domain
OIDCRedirectURI /apache/oidc/callback OIDCRedirectURI /apache/oidc/callback
OIDCRemoteUserClaim sub OIDCRemoteUserClaim sub