Sienna Meridian Satterwhite
7ffddcafcd
- Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry.
5.1 KiB
5.1 KiB