I have spent some time in understanding how authentication works in Foreman. We have multiple auth sources in Foreman: External, LDAP, internal.
I have a few findings related to the existing auth flows:
- For Kerberos authentication, we do get a expiration time in the kerberos ticket but we still use the idle timout setting in Foreman to set the session timeout.
- In case of apache authentication also, we use the same idle timout setting to set the authentication timeout.
For the openid connect, when we get the JWT token, I tried to extract the expiry of the token and set that as session expiry time. But now, I realize that all the other flows use the idle timout setting in Foreman. Should we keep that consistent and use the settings for openid-connect session time out too?