OIDC : cleanup & add idleSessionLifetimeInSeconds (#570)

Author: olevitt

README.md

@@ -72,7 +72,7 @@ Configurable properties :
 | `oidc.public-key` | | Optional: If for some reason you don't want Onyxia-API to bootstrap configuration by requesting the `issuer-uri` then you can manually provide the public key used for validating incoming tokens. |
 | `oidc.extra-query-params` | | Optional : query params to be added by client. e.g : `prompt=consent&kc_idp_hint=google` |
 | `oidc.scope` | `openid profile` | Optional : Specifies the OIDC scopes to be requested by the Onyxia client. `"openid"` is always requested, regardless of this setting. |
-| `oidc.workaroundForGoogleClientSecret` | | For some reasons, Google OAuth requires providing a client secret even for public clients. ⚠️ Use this configuration only if using Google OAuth ! ⚠️ For all other providers you should not have client secret as the Onyxia client is public. Example client secret format: " `GOCSPX-_xxxxxxxxxxxxxxxxxxxxxxxxxxx` |
+| `oidc.idleSessionLifetimeInSeconds` | | Optional: Automatically logs out users after a set period of inactivity. |
 
 ### Security configuration :
 | Key | Default | Description |

onyxia-api/src/main/java/fr/insee/onyxia/api/controller/pub/ConfigurationController.java

@@ -54,8 +54,8 @@ public AppInfo configuration() {
             OIDCConfiguration.setIssuerURI(oidcConfiguration.getIssuerUri());
             OIDCConfiguration.setClientID(oidcConfiguration.getClientID());
             OIDCConfiguration.setExtraQueryParams(oidcConfiguration.getExtraQueryParams());
-            OIDCConfiguration.setWorkaroundForGoogleClientSecret(
-                    oidcConfiguration.getWorkaroundForGoogleClientSecret());
+            OIDCConfiguration.setIdleSessionLifetimeInSeconds(
+                    oidcConfiguration.getIdleSessionLifetimeInSeconds());
             OIDCConfiguration.setScope(oidcConfiguration.getScope());
             OIDCConfiguration.setAudience(oidcConfiguration.getAudience());
             appInfo.setOidcConfiguration(OIDCConfiguration);

onyxia-api/src/main/java/fr/insee/onyxia/api/security/OIDCConfiguration.java

@@ -94,8 +94,8 @@ public class OIDCConfiguration {
     @Value("${oidc.scope}")
     private String scope;
 
-    @Value("${oidc.workaroundForGoogleClientSecret}")
-    private String workaroundForGoogleClientSecret;
+    @Value("${oidc.idleSessionLifetimeInSeconds}")
+    private Integer idleSessionLifetimeInSeconds;
 
     private final HttpRequestUtils httpRequestUtils;
 
@@ -288,12 +288,12 @@ public void setScope(String scope) {
         this.scope = scope;
     }
 
-    public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
-        this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+    public void setIdleSessionLifetimeInSeconds(Integer idleSessionLifetimeInSeconds) {
+        this.idleSessionLifetimeInSeconds = idleSessionLifetimeInSeconds;
     }
 
-    public String getWorkaroundForGoogleClientSecret() {
-        return workaroundForGoogleClientSecret;
+    public Integer getIdleSessionLifetimeInSeconds() {
+        return idleSessionLifetimeInSeconds;
     }
 
     @Bean

onyxia-api/src/main/resources/application.properties

@@ -11,7 +11,7 @@ oidc.groups-claim=groups
 oidc.roles-claim=roles
 oidc.extra-query-params=
 oidc.scope=openid profile
-oidc.workaroundForGoogleClientSecret=
+oidc.idleSessionLifetimeInSeconds=
 # Catalogs
 catalogs.refresh.ms=300000
 # Security

onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java

@@ -787,7 +787,7 @@ public static class OIDCConfiguration {
         private String clientID;
         private String extraQueryParams;
         private String scope;
-        private String workaroundForGoogleClientSecret;
+        private Integer idleSessionLifetimeInSeconds;
 
         private String audience;
 
@@ -815,12 +815,12 @@ public void setExtraQueryParams(String extraQueryParams) {
             this.extraQueryParams = extraQueryParams;
         }
 
-        public String getWorkaroundForGoogleClientSecret() {
-            return workaroundForGoogleClientSecret;
+        public Integer getIdleSessionLifetimeInSeconds() {
+            return idleSessionLifetimeInSeconds;
         }
 
-        public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
-            this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+        public void setIdleSessionLifetimeInSeconds(Integer idleSessionLifetimeInSeconds) {
+            this.idleSessionLifetimeInSeconds = idleSessionLifetimeInSeconds;
         }
 
         public String getScope() {