Automatic logout and token expiration

When a user logs in to Workbench, they receive a newly created token (a long string of random characters) which grants access to the Arvados API on behalf of that user. In the default configuration, this token does not expire until the user explicitly logs out.

Security policies, such as those required to comply with regulations such as HIPAA and GxP, may include policies for “automatic logoff”. In order to limit the window of risk associated with unauthorized access of the desktop of an Arvados user, or a token being leaked, Arvados offers options for automatic logout from the web app, and to configure access tokens to expire by default.

The Workbench.IdleTimeout, Login.TokenLifetime, and API.MaxTokenLifetime options give the administrator ways to control automatic expiration of tokens granted through the login flow.

If you are looking for information on how to expire a token manually, see how to delete a single token and delete all tokens belonging to a user .

Automatic logout

Use Workbench.IdleTimeout to configure Workbench 2 for automatic logout after a period of idle time. For example, this configuration would log the user out after five minutes of no keyboard or pointer activity:

Clusters:
  zzzzz:
    ...
    Workbench:
      IdleTimeout: 5m
    ...

When idle timeout is set, several behaviors and considerations apply:

  • The user will be automatically logged out after a period of inactivity. When the automatic logout happens, the token associated with that session will be revoked.
  • Users should use the “open in new tab” functionality of Workbench 2. This will share the same token between tabs without requiring the user to log in again. Logging out will apply to all browser tabs that use the same token.
  • If the user closes a Workbench tab without first logging out, the browser will forget the token, but not expire the token (this is desirable if the user has several tabs open).
  • If the user closes all Workbench tabs, they will be required to log in again.
  • This only affects browser behavior. Automatic logout should be used together automatic token expiration described below.

The default value for Workbench.IdleTimeout is zero, which disables auto-logout.

Automatic expiration of login tokens

Use Login.TokenLifetime to set the lifetime for tokens issued through the login process. This is the maximum amount of time a user can maintain a session before having to log in again. This setting applies to both regular and admin user logins. Here is an example configuration that would require the user to log in again after 12 hours:

Clusters:
  zzzzz:
    ...
    Login:
      TokenLifetime: 12h
    ...

This is independent of Workbench.IdleTimeout. Even if Workbench auto-logout is disabled, this option will ensure that the user is always required to log in again after the configured amount of time.

Untrusted login tokens

Clusters:
  zzzzz:
    ...
    Login:
      TrustLoginTokens: false
    ...

When `TrustLoginTokens` is `false`, tokens issued through login will be “untrusted” by default. Untrusted tokens cannot be used to list other tokens issued to the user, and cannot be used to grant new tokens. This stops an attacker from leveraging a leaked token to aquire other tokens, but also interferes with some Workbench features that create new tokens on behalf of the user.

The default value Login.TokenLifetime is zero, meaning login tokens do not expire (unless API.MaxTokenLifetime is set).

Automatic expiration of all tokens

Use API.MaxTokenLifetime to set the maximum lifetime for any access token created by regular (non-admin) users. For example, this configuration would require that all tokens expire after 24 hours:

Clusters:
  zzzzz:
    ...
    API:
      MaxTokenLifetime: 24h
    ...

Tokens created without an explicit expiration time, or that exceed maximum lifetime, will be set to API.MaxTokenLifetime.

Similar to Login.TokenLifetime, this option ensures that the user is always required to log in again after the configured amount of time.

Unlike Login.TokenLifetime, this applies to all API operations that manipulate tokens, regardless of whether the token was created by logging in, or by using the API. If Login.TokenLifetime is greater than API.MaxTokenLifetime, MaxTokenLifetime takes precedence.

Admin users are permitted to create tokens with expiration times further in the future than MaxTokenLifetime.

The default value MaxTokenLifetime is zero, which means there is no maximum token lifetime.

Choosing a policy

Workbench.IdleTimeout only affects browser behavior. It is strongly recommended that automatic browser logout be used together with Login.TokenLifetime, which is enforced on API side.

TrustLoginTokens: true (default value) is less restrictive. Be aware that an unrestricted token can be “refreshed” to gain access for an indefinite period. This means, during the window that the token is valid, the user is permitted to create a new token, which will have a new expiration further in the future (of course, once the token has expired, this is no longer possible). Unrestricted tokens are required for some Workbench features, as well as ease of use in other contexts, such as the Arvados command line. This option is recommended if many users will interact with the system through the command line.

TrustLoginTokens: false is more restrictive. A token obtained by logging into Workbench cannot be “refreshed” to gain access for an indefinite period. However, it interferes with some Workbench features, as well as ease of use in other contexts, such as the Arvados command line. This option is recommended only if most users will only ever interact with the system through Workbench or WebShell. For users or service accounts that need to tokens with fewer restrictions, the admin can create a token at the command line using the SystemRootToken.

In every case, admin users may always create tokens with expiration dates far in the future.

These policies do not apply to tokens created by the API server for the purposes of authorizing a container to run, as those tokens are automatically expired when the container is finished.

Applying policy to existing tokens

If you have an existing Arvados installation and want to set a token lifetime policy, there may be long-lived user tokens already granted. The administrator can use the following rake tasks to enforce the new policy.

The db:check_long_lived_tokens task will list which users have tokens with no expiration date.

# bin/rake db:check_long_lived_tokens
Found 6 long-lived tokens from users:
user2,user2@example.com,zzzzz-tpzed-5vzt5wc62k46p6r
admin,admin@example.com,zzzzz-tpzed-6drplgwq9nm5cox
user1,user1@example.com,zzzzz-tpzed-ftz2tfurbpf7xox

To apply the new policy to existing tokens, use the db:fix_long_lived_tokens task.

# bin/rake db:fix_long_lived_tokens
Setting token expiration to: 2020-08-25 03:30:50 +0000
6 tokens updated.

NOTE: These rake tasks adjust the expiration of all tokens except those belonging to the system root user (zzzzz-tpzed-000000000000000). If you have tokens used by automated service accounts that need to be long-lived, you can create tokens that don’t expire using the command line .


Previous: Securing API access with scoped tokens Next: Logging

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.