fix(ory,lasuite): harden session security and fix logout + WebSocket routing
- Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry.
This commit is contained in:
@@ -21,7 +21,8 @@ spec:
|
||||
vaultAuthRef: vso-auth
|
||||
mount: database
|
||||
path: static-creds/gitea
|
||||
refreshAfter: 1h
|
||||
allowStaticCreds: true
|
||||
refreshAfter: 5m
|
||||
rolloutRestartTargets:
|
||||
- kind: StatefulSet
|
||||
name: gitea
|
||||
|
||||
Reference in New Issue
Block a user