Introduction
In this article, we'll explore a common issue faced by users deploying the OIDC authentication method with Azure OIDC for HashiCorp Cloud Platform (HCP) Boundary. Specifically, we'll address the problem of the Time-To-Live (TTL) configured on the Microsoft Entra ID side not being honored, which results in the absence of re-authentication triggers or forced logouts once the TTL from Azure is reached. We'll also delve into the role of the max_age parameter and its interaction with the auth_token_time_to_live configuration in HCP Boundary.
Expected Outcome
By the end of this article, you should understand:
- Why the TTL configured on the Microsoft Entra ID side is not being honored in HCP Boundary.
- The role of the max_age parameter and its limitations.
- How the auth_token_time_to_live configuration affects token expiration and re-authentication.
- The current limitations in HCP Boundary regarding token lifetime configuration.
Prerequisites
- Basic understanding of HCP Boundary and Azure OIDC.
- Access to an HCP Boundary instance.
- Microsoft Entra ID (Azure AD) setup for OIDC authentication.
Use Case
We have deployed the OIDC authentication method with Azure OIDC for HCP Boundary, following the official guide from Microsoft. Authentication is working correctly, but the TTL configured on the Microsoft Entra ID side is not being honored, leading to the absence of re-authentication or forced logout when the TTL is reached.
Solution
Step 1: Understand the Token Lifecycle in HCP Boundary
Upon successful authentication via OIDC, HCP Boundary issues an internal token. This token is used for accessing targets and its lifetime is governed by the auth_token_time_to_live configuration value, which defaults to 7 days and is currently not configurable for HCP Boundary.
Step 2: Clarify the Role of the max_age Parameter
The max_age parameter in OIDC is intended to force re-authentication if the user's authentication is older than the specified value. However, in HCP Boundary, the internal token must expire before max_age is considered. Therefore:
- The HCP Boundary token always expires after 7 days, regardless of the max_age setting.
- Upon token expiration, users must re-authenticate. If max_age is set, the Identity Provider (Microsoft Entra ID) will enforce re-authentication if the user’s last authentication is older than the specified max_age value.
Step 3: Current Limitations in HCP Boundary
Currently, HCP Boundary does not provide a way to modify the auth_token_time_to_live configuration value from its default of 7 days for non-enterprise users. This limitation means that the max_age parameter cannot force re-authentication before the internal token's 7-day lifetime expires.
Step 4: Feature Request for Customizable Token TTL
A feature request has been raised to allow customization of the token expiration configuration in HCP Boundary. This enhancement will likely expedite the introduction of this capability, enabling users to adjust the token lifetime to better suit their security requirements.
Additional Information
For further details, refer to:
By understanding these configurations and their limitations, users can better manage their authentication strategies in HCP Boundary and anticipate future enhancements that will provide greater flexibility in token management.