Respect WebIdleTimeout in bearerTokenTTL

lib/auth/auth_test.go

@@ -3119,7 +3119,7 @@ func TestNewWebSession(t *testing.T) {
 		LoginTime:  p.a.GetClock().Now().UTC(),
 		SessionTTL: apidefaults.CertDuration,
 	}
-	bearerTokenTTL := min(req.SessionTTL, defaults.BearerTokenTTL)
+	bearerTokenTTL := min(req.SessionTTL, duration)
 
 	ws, _, err := p.a.NewWebSession(ctx, req, nil /* opts */)
 	require.NoError(t, err)

lib/auth/sessions.go

@@ -313,6 +313,9 @@ func (a *Server) newWebSession(
 		return nil, nil, trace.Wrap(err)
 	}
 	bearerTokenTTL := min(sessionTTL, defaults.BearerTokenTTL)
+	if idleTimeout > 0 {
+		bearerTokenTTL = min(sessionTTL, idleTimeout)
+	}
 
 	startTime := a.clock.Now()
 	if !req.LoginTime.IsZero() {

lib/auth/sessions_test.go

@@ -22,15 +22,89 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/jonboulle/clockwork"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/auth/authtest"
+	"github.com/gravitational/teleport/lib/defaults"
 )
 
+func TestCreateWebSession(t *testing.T) {
+	t.Parallel()
+
+	const userLlama = "llama"
+	tenHours := time.Hour * 10
+	eightHours := time.Hour * 8
+
+	testCases := []struct {
+		name                   string
+		webIdleTimeout         *time.Duration
+		sessionTTL             time.Duration
+		expectedBearerTokenTTL time.Duration
+	}{
+		{
+			name:                   "bearerTokenExpiry equal webidletimeout",
+			webIdleTimeout:         &tenHours,
+			expectedBearerTokenTTL: tenHours,
+			sessionTTL:             time.Hour * 12,
+		},
+		{
+			name:                   "bearerTokenExpiry is sessionTTL when shorter than webidletimeout",
+			webIdleTimeout:         &tenHours,
+			sessionTTL:             eightHours,
+			expectedBearerTokenTTL: eightHours,
+		},
+		{
+			name:                   "bearerTokenExpiry defaults to 10 minutes when webidletimeout not configured",
+			webIdleTimeout:         nil,
+			sessionTTL:             time.Hour * 12,
+			expectedBearerTokenTTL: defaults.BearerTokenTTL,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			clusterNetworkConfig := types.DefaultClusterNetworkingConfig()
+			if tc.webIdleTimeout != nil {
+				clusterNetworkConfig.SetWebIdleTimeout(*tc.webIdleTimeout)
+			}
+
+			fakeclock := clockwork.NewFakeClock()
+			testAuthServer, err := authtest.NewAuthServer(authtest.AuthServerConfig{
+				Clock:                   fakeclock,
+				Dir:                     t.TempDir(),
+				ClusterNetworkingConfig: clusterNetworkConfig,
+			})
+			require.NoError(t, err, "NewAuthServer failed")
+			t.Cleanup(func() {
+				assert.NoError(t, testAuthServer.Close(), "testAuthServer.Close() errored")
+			})
+
+			authServer := testAuthServer.AuthServer
+			ctx := context.Background()
+
+			_, _, err = authtest.CreateUserAndRole(authServer, userLlama, []string{userLlama} /* logins */, nil /* allowRules */)
+			require.NoError(t, err, "CreateUserAndRole failed")
+
+			session, err := authServer.CreateWebSessionFromReq(ctx, auth.NewWebSessionRequest{
+				User:       userLlama,
+				SessionTTL: tc.sessionTTL,
+			})
+			require.NoError(t, err, "CreateWebSessionFromReq failed")
+
+			bearerTokenExpiry := session.GetBearerTokenExpiryTime()
+			actualTTL := fakeclock.Until(bearerTokenExpiry)
+			require.Equal(t, tc.expectedBearerTokenTTL, actualTTL)
+		})
+	}
+}
+
 func TestServer_CreateWebSessionFromReq_deviceWebToken(t *testing.T) {
 	t.Parallel()