Allow configuration of how long the user has to complete IdP login, rather than hard coded 5 minutes

[richjyoung]

vouch-proxy/handlers/handlers.go

Line 60 in 67cce8a

sessstore.Options.MaxAge = 300 // give the user five minutes to log in at the IdP

I am trying to diagnose issues with a 400 Bad Request error, with a log message like this (actual session ID removed):

/auth Invalid session state: stored %!s(<nil>), returned ******

I can only produce a 400 Bad Request error manually if the VouchSession cookie is not sent to the /auth callback.

At present I don't think Vouch is to blame, but my KeyCloak instance allows a configurable duration for the user to complete login, and I feel for better compatibility Vouch should probably do the same rather than a fixed 5 minutes.

Could this be added to the vouch.session section of the config? Perhaps vouch.session.maxAge?

[richjyoung]

I see this was introduced in #270.

I've been seeing Bad Request errors since upgrading from 0.11.3 to 0.17.3. It's not clear why users are taking longer than 5 minutes to login, perhaps because they have 2FA to deal with as well, but at the moment I need to be able to set this to be much longer to eliminate it as a possibility. I suspect this means the number of times the user is allowed to login within a given period would need to be configurable as well based on the original issue that prompted this change.

[bnfinet]

thanks @richjyoung. That makes sense.

PR welcome!

It shouldn't be too hard to add. Please set .defaults.yml to 300 and add a clear description to config/config.yml_example for vouch.session.maxAge. And please test with both an env var as well as the config entry.