Feature #17596

Ability to set different session expiration time for API

Added by Tomáš Strachota 5 months ago. Updated 5 months ago.

Status:New
Priority:Normal
Assigned To:-
Category:Authorization
Target version:Team Marek backlog
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-

Description

API supports sessions since #17487. The default expiration time is 1 hour, which is reasonable for UI purposes but it's short for automation.

Having the API session expiry time configurable on per user basis would enable using special users with limited permissions only for automation.

History

#1 Updated by Ohad Levy 5 months ago

what would the expected behavior should be?

if i think of other api tokens, some of them are active for a very long period (think github tokens) while some other places (e.g. kerb) might default to 24hours.

also, while outside the scope of this ticket, i would love seeing us storing user sessions in the database for visibility - something like https://github.com/blog/1661-modeling-your-app-s-user-session

#2 Updated by Tomáš Strachota 5 months ago

Thinking of it twice - the automation argument is probably invalid. It doesn't bring any additional functionality over having a special user with basic auth.

Unrelated to the above there still could be some benefit in setting the different timeout value for ui/api but it's low prio.

Also available in: Atom PDF