Make JWT expiration time configurable
and drop attempt to set JWT header (golang-jwt/jwt does not seem to use TokenOptions ever)
This commit is contained in:
parent
006b0003b4
commit
22254f1b4f
2 changed files with 4 additions and 11 deletions
|
@ -27,6 +27,7 @@ var (
|
||||||
LimitDispatchInputs int64 `ini:"LIMIT_DISPATCH_INPUTS"`
|
LimitDispatchInputs int64 `ini:"LIMIT_DISPATCH_INPUTS"`
|
||||||
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
|
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
|
||||||
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
|
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
|
||||||
|
JWTExpirationTime time.Duration `ini:"JWT_EXPIRATION_TIME"`
|
||||||
}{
|
}{
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
DefaultActionsURL: defaultActionsURLForgejo,
|
DefaultActionsURL: defaultActionsURLForgejo,
|
||||||
|
@ -34,6 +35,7 @@ var (
|
||||||
LimitDispatchInputs: 10,
|
LimitDispatchInputs: 10,
|
||||||
JWTSigningAlgorithm: "EdDSA",
|
JWTSigningAlgorithm: "EdDSA",
|
||||||
JWTSigningPrivateKeyFile: "actions_oidc/private.pem",
|
JWTSigningPrivateKeyFile: "actions_oidc/private.pem",
|
||||||
|
JWTExpirationTime: time.Hour,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -160,9 +160,9 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
|
||||||
"runner_environment": "self-hosted", // not sure what this should be set to, github will have either "github-hosted" or "self-hosted"
|
"runner_environment": "self-hosted", // not sure what this should be set to, github will have either "github-hosted" or "self-hosted"
|
||||||
"iss": setting.AppURL + setting.AppSubURL + "/api/actions_idtoken",
|
"iss": setting.AppURL + setting.AppSubURL + "/api/actions_idtoken",
|
||||||
"nbf": jwt.NewNumericDate(iat),
|
"nbf": jwt.NewNumericDate(iat),
|
||||||
"exp": jwt.NewNumericDate(iat.Add(time.Minute * 15)),
|
"exp": jwt.NewNumericDate(iat.Add(setting.Actions.JWTExpirationTime)),
|
||||||
"iat": jwt.NewNumericDate(iat),
|
"iat": jwt.NewNumericDate(iat),
|
||||||
}, addTokenHeaders(o.signingKey))
|
})
|
||||||
|
|
||||||
signedJWT, err := token.SignedString(o.signingKey.SignKey())
|
signedJWT, err := token.SignedString(o.signingKey.SignKey())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -212,12 +212,3 @@ func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.R
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func addTokenHeaders(key jwtx.JWTSigningKey) jwt.TokenOption {
|
|
||||||
return func(t *jwt.Token) {
|
|
||||||
kid := key.KID()
|
|
||||||
if kid != "" {
|
|
||||||
t.Header["kid"] = kid
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in a new issue