Skip to content

Allow OIDC Connector to Omit 'max_age' Parameter From Auth Requests #57950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rhammonds-teleport merged 3 commits into from
Aug 15, 2025
Merged

Allow OIDC Connector to Omit 'max_age' Parameter From Auth Requests #57950

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c316ed6
Check for 'TELEPORT_OIDC_OMIT_MFA_MAX_AGE' environment variable when …
rhammonds-teleport Aug 12, 2025
f2a3a22
More robust parsing of 'TELEPORT_OIDC_OMIT_MFA_MAX_AGE' value
rhammonds-teleport Aug 15, 2025
413489c
Need to explicitly set 'MaxAge' to nil when 'TELEPORT_OIDC_OMIT_MFA_M…
rhammonds-teleport Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions api/types/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ package types
import (
"net/netip"
"net/url"
"os"
"slices"
"strconv"
"strings"
"time"

Expand Down Expand Up @@ -575,8 +577,15 @@ func (o *OIDCConnectorV3) WithMFASettings() error {
o.Spec.ClientSecret = o.Spec.MFASettings.ClientSecret
o.Spec.ACR = o.Spec.MFASettings.AcrValues
o.Spec.Prompt = o.Spec.MFASettings.Prompt
o.Spec.MaxAge = &MaxAge{
Value: o.Spec.MFASettings.MaxAge,
// In rare cases, some providers will complain about the presence of the 'max_age'
// parameter in auth requests. Provide users with a workaround to omit it.
omitMaxAge, _ := strconv.ParseBool(os.Getenv("TELEPORT_OIDC_OMIT_MFA_MAX_AGE"))
Copy link
Copy Markdown
Contributor

@Tener Tener Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make sure we don't lose that workaround, can you make sure we document the correct way to use this?

Copy link
Copy Markdown
Contributor Author

@rhammonds-teleport rhammonds-teleport Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that our intention is to avoid advertising this option in the docs. While some users really do need this option, it's a potentially significant security footgun for most.

I can (and probably should) add a corresponding test case to the OIDC implementation that will squawk if this behavior is accidentally removed or broken though.

if omitMaxAge {
o.Spec.MaxAge = nil
} else {
o.Spec.MaxAge = &MaxAge{
Value: o.Spec.MFASettings.MaxAge,
}
}
return nil
}
Expand Down
Loading