馃殌 Feature: Configurable JWT expiration #5263
Comments
stnguyen90
changed the title
stnguyen90
added
the
product / auth
stnguyen90
changed the title
|
At the moment, the JWT expiration time is not configurable. I'll leave this issue as a feature request to make the JWT expiration time configurable. For now, you'd have to tweak the 3rd parameter here: appwrite/app/controllers/api/account.php Line 1298 in 6122a25 To tweak it, you can mount in a modified version of the account.php file. |
|
Expiring JWT for mobile app will not be good for user experience. I think this setting should be added to the .env file. |
|
Hey @stnguyen90 , |
|
@singhbhaskar thanks for your interest! 馃檹馃徏 This one may require more planning so it won't be a good one for you to work on. Maybe after it's been planned out some more, we can reach out to the community to work on it. |
Does it really require a plan to add the configuration of this to the env file? I'm asking out of curiosity. |
Yes, because this is something that might actually make more sense to be a project-level configuration rather than global one. As such, we would need to think about how it should be configured via the Console and how it should be described and explained. |
|
I would like to be able to set the expiry time of jwt in the console |
|
Hi @stnguyen90, Yes as you said, it should be at project level not global level. We can put it inside However, JWT duration will be capped by Session Length. If assigned then I'll start working ASAP 馃殌 Just a brief, I came here to open a request for this feature and found this already opened issue. So, I've good idea of actual requirement from user point of view. 
|
|
Great feature for mobile app |
|
@BadgerBloke, thanks so much for raising your PRs! 馃檹馃徏 Let me talk to the team about this. |
|
@BadgerBloke, could you provide more insight into why you need this feature? |
|
Sure @stnguyen90 , in my org, we have multiple projects so for a couple of projects 15 minutes is a bit high and at the same time for mobile application it is a bit low (from ux point of view) however, it is not a good idea to have very high JWT expiration only for avoiding the re-login rather we have to use refresh token for getting a fresh set of tokens without pushing the user for re-login. But, we don't have refresh token as of now. I'm sure that there will be other scenarios when the user needs to change it. Here, we are keeping the default JWT expiration time as 15 minutes only. But in case someone has to change it then they will have the option. Very very high level roadmap for SSO馃挕I was about to put a proposal to have the capability to select the JWT signing algorithm. Currently we are using HS256 which is using a secret key only for signing as well as verification. But with algo like RS and ES we will have private/public key and in this case appwrite admin need not to share their private or signing key even then another backend will be able to validate the JWT without making any api call to appwrite. 馃挕We should also have the refresh token functionality. 馃挕 Option to include user data in JWT payload. 馃挕with above capability our Appwrite will be perfect fit for SSO. Even if we agree and go for incorporating the above points then it will take some time and in that case we can take configurable JWT expiration as the first step towards SSO otherwise users will have at least this much capability. Hope you find it making sense |
|
@BadgerBloke you raised SSO as a use case...would you be able to use OAuth2 instead? With OAuth2, they only sign into the provider once and then they can allow any other app access. We released support for an OIDC provider which should be supported by big auth providers. |
|
@stnguyen90 yeah I saw the OpenID Connect in our latest release and the same is available on cloud as well now. So, first of all congrats to the whole Appwrite team 馃帀 I explored the options like Keycloak and there is no doubt that they are great but their documentation is not very friendly. I didn't get any other good open source project(s). The best part about Appwrite is that, it is very easily understandable, The documentation is really cool, so if it has the above JWT capabilities then even without integrating other services it will be able to fulfill the SSO requirements. But, it's ok if this doesn't align with Appwrite's vision. |
|
However, if we go for these features then i would love to work on the same and get it done |
|
Hi @stnguyen90 , since this issue was already opened by @3lur way earlier than i started participating and the same was in discussion too. So, if we do not go for features i mentioned above even then you can accept it provided this PR fulfills the requirements of this issue otherwise please let me and I'll do the needful. Thanks |
You might want to 馃憤馃徏 this issue for this request.
could you provide some more insight into how this can be used for SSO?
Would you also provide some insight into why this would be needed in mobile apps? |
Imagine that in a mobile application, we typically don鈥檛 want the user鈥檚 session to expire after a certain period in most scenarios. In other words, I would like the session to remain active even if the user reopens the application after 10 days. |
@stnguyen90 thanks for mentioning this, I鈥檒l consider this issue when start working.
I am realising that by simply saying the term SSO lead to some confusion. So, let rephrase the idea: This SSO is not going to fulfil the requirements of signing in into services like zoom, slack, etc. because for that we have to support SAML and/or OpenID Connect to provide identity. Here, we are going to provide the SSO solution for an organisation鈥檚 own multiple projects. Let me put it through an example -
An Organisation have multiple projects like Project 1, Project 2, Project 3, and SSO Project this is very high level overview of the flow. When we sign the JWT using any variant of ES or RS algo then Application Server doesn鈥檛 have to make an API call on every request to SSO Server i.e., Appwrite because public key or jwks can be cached after fetching [#1112] and JWT will get verified on Application Server itself. In this way organisation has to maintain only one user base and they can put the project level access inside prefs (custom attribute field) or for more fine grained controls this logic can be maintained on the respective project level itself. |
|
+1 on this, i would like to manually set the expiration time of jwt tokens, in my case i have a native php project (and you cant create a session with the php sdk), so, my login page (simple html and js page with email and password) create the jwt token and store it as a cookie, then my php retrieve the cookie and allow access to user or not, 15 minutes is too low for my users and is annoying asking them to login again every 15minutes, i cant use oauth or other methods because is not a open system, i create the accounts (users cant register) |
馃敄 Feature description
Can I extend the expiry time of jwt? How should I do this?
馃帳 Pitch
in the development environment, I would like the token to expire for a longer period of time
馃憖 Have you spent some time to check if this issue has been raised before?
馃彚 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: