Conversation
okraport
reviewed
Sep 29, 2025
Contributor
okraport
left a comment
okraport
left a comment
There was a problem hiding this comment.
I think the change makes sense but would like to get more eyes on this as I am unsure if this will have wider impact.
| webIdleTimeout: nil, | ||
| sessionTTL: time.Hour * 12, | ||
| expectedBearerTokenTTL: defaults.BearerTokenTTL, | ||
| }, |
Contributor
There was a problem hiding this comment.
Suggested change
| }, | |
| { | |
| name: "bearerTokenExpiry is sessionTTL when shorter than defaults.BearerTokenTTL", | |
| webIdleTimeout: nil, | |
| sessionTTL: time.Minute * 5, | |
| expectedBearerTokenTTL: time.Minute * 5, | |
| }, |
I don't actually know if this should be the behaviour based on the case above but we should make this codepath explicit.
rob-picard-teleport
approved these changes
Oct 6, 2025
Contributor
rob-picard-teleport
left a comment
rob-picard-teleport
left a comment
There was a problem hiding this comment.
This makes sense to me, and implementation looks good. I'd still love to see the bearer token go away eventually of course, but this seems like a reasonable intermediate step!
Contributor
Author
|
friendly ping @kimlisa This will probably just stay in master and not get backported, so we can see how it affects things |
okraport
approved these changes
Oct 8, 2025
Contributor
okraport
left a comment
okraport
left a comment
There was a problem hiding this comment.
Having thought about it, I think this is good. Nice job.
public-teleport-github-review-bot
bot
removed the request for review
from capnspacehook
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Contributor
Contributor
Author
|
I'll be holding off on backporting this. The plan is to release it next major but will come back to other backports if that changes. |
avatus
added a commit
that referenced
this pull request
Nov 6, 2025
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
rhammonds-teleport
pushed a commit
that referenced
this pull request
Nov 6, 2025
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 10, 2025
* Set MaxAge for cookie based on WebSession expiry (#58091) * Set MaxAge in web cookie if time until expiry is > 0 (#58293) This updates the logic to only setting max-age if the provided expiry is in the future rather than any non-zero value. * Respect WebIdleTimeout in bearerTokenTTL (#59645) The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
mmcallister
pushed a commit
that referenced
this pull request
Nov 19, 2025
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
mmcallister
pushed a commit
that referenced
this pull request
Nov 20, 2025
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we will only default to 10 minutes if the web_idle_timeout is not configured in the cluster config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The webUI will log a user out due to invalid token if they haven't pinged the server within the idle time, which defaulted to the bearer token default (10 minutes). Instead, we should only default to 10 minutes if the web_idle_timeout is not configured in the cluster config. this aligns with how it is described in the documentation.
docs reference: https://goteleport.com/docs/connect-your-client/web-ui/
changelog: Fix the webUI timeout time to respect the cluster's WebIdleTimeout configuration.
edit: moving to draft. im doing to see if there is a different mechanism that we can leverage for the same effect, without increasing the bearer token expiry