From 730a75709078e4bde826bc5ad84af39032caeb92 Mon Sep 17 00:00:00 2001 From: Chris Weaver <25087905+Weves@users.noreply.github.com> Date: Tue, 20 Aug 2024 13:24:58 -0700 Subject: [PATCH] Disable oidc_expiry by default (#2182) --- backend/danswer/auth/users.py | 8 ++++---- backend/danswer/configs/app_configs.py | 8 ++++++++ deployment/docker_compose/docker-compose.dev.yml | 1 + deployment/docker_compose/docker-compose.gpu-dev.yml | 1 + 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/backend/danswer/auth/users.py b/backend/danswer/auth/users.py index 76b4ca812c95..39e2477f6ddf 100644 --- a/backend/danswer/auth/users.py +++ b/backend/danswer/auth/users.py @@ -40,6 +40,7 @@ from danswer.configs.app_configs import SMTP_PASS from danswer.configs.app_configs import SMTP_PORT from danswer.configs.app_configs import SMTP_SERVER from danswer.configs.app_configs import SMTP_USER +from danswer.configs.app_configs import TRACK_EXTERNAL_IDP_EXPIRY from danswer.configs.app_configs import USER_AUTH_SECRET from danswer.configs.app_configs import VALID_EMAIL_DOMAINS from danswer.configs.app_configs import WEB_DOMAIN @@ -201,10 +202,9 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]): is_verified_by_default=is_verified_by_default, ) - # NOTE: google oauth expires after 1hr. We don't want to force the user to - # re-authenticate that frequently, so for now we'll just ignore this for - # google oauth users - if expires_at and AUTH_TYPE != AuthType.GOOGLE_OAUTH: + # NOTE: Most IdPs have very short expiry times, and we don't want to force the user to + # re-authenticate that frequently, so by default this is disabled + if expires_at and TRACK_EXTERNAL_IDP_EXPIRY: oidc_expiry = datetime.fromtimestamp(expires_at, tz=timezone.utc) await self.user_db.update(user, update_dict={"oidc_expiry": oidc_expiry}) return user diff --git a/backend/danswer/configs/app_configs.py b/backend/danswer/configs/app_configs.py index cccb81c9aa22..16b916f3decb 100644 --- a/backend/danswer/configs/app_configs.py +++ b/backend/danswer/configs/app_configs.py @@ -93,6 +93,14 @@ SMTP_USER = os.environ.get("SMTP_USER", "your-email@gmail.com") SMTP_PASS = os.environ.get("SMTP_PASS", "your-gmail-password") EMAIL_FROM = os.environ.get("EMAIL_FROM") or SMTP_USER +# If set, Danswer will listen to the `expires_at` returned by the identity +# provider (e.g. Okta, Google, etc.) and force the user to re-authenticate +# after this time has elapsed. Disabled since by default many auth providers +# have very short expiry times (e.g. 1 hour) which provide a poor user experience +TRACK_EXTERNAL_IDP_EXPIRY = ( + os.environ.get("TRACK_EXTERNAL_IDP_EXPIRY", "").lower() == "true" +) + ##### # DB Configs diff --git a/deployment/docker_compose/docker-compose.dev.yml b/deployment/docker_compose/docker-compose.dev.yml index ea5e8e1e5d5b..d28ccd59f72e 100644 --- a/deployment/docker_compose/docker-compose.dev.yml +++ b/deployment/docker_compose/docker-compose.dev.yml @@ -33,6 +33,7 @@ services: - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID:-} - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET:-} - OPENID_CONFIG_URL=${OPENID_CONFIG_URL:-} + - TRACK_EXTERNAL_IDP_EXPIRY=${TRACK_EXTERNAL_IDP_EXPIRY:-} # Gen AI Settings - GEN_AI_MODEL_PROVIDER=${GEN_AI_MODEL_PROVIDER:-} - GEN_AI_MODEL_VERSION=${GEN_AI_MODEL_VERSION:-} diff --git a/deployment/docker_compose/docker-compose.gpu-dev.yml b/deployment/docker_compose/docker-compose.gpu-dev.yml index e09aec50c948..70120a53944a 100644 --- a/deployment/docker_compose/docker-compose.gpu-dev.yml +++ b/deployment/docker_compose/docker-compose.gpu-dev.yml @@ -30,6 +30,7 @@ services: - SMTP_USER=${SMTP_USER:-} - SMTP_PASS=${SMTP_PASS:-} - EMAIL_FROM=${EMAIL_FROM:-} + - TRACK_EXTERNAL_IDP_EXPIRY=${TRACK_EXTERNAL_IDP_EXPIRY:-} # Gen AI Settings - GEN_AI_MODEL_PROVIDER=${GEN_AI_MODEL_PROVIDER:-} - GEN_AI_MODEL_VERSION=${GEN_AI_MODEL_VERSION:-}