| 21 Mar 2024 |
 Brynn | I'm going to mock it up tomorrow, but I was thinking for oidc clients having a list of horizontal entries with basic info like name, categories, etc, and an edit button. Each entry can drop-down to reveal more advanced information such as secrets(hidden), uris, and other info. | 08:43:10 |
| Brynn | This could also carry over to other features like user managment | 08:44:49 |
 James | Exciting, can't wait haha | 08:48:31 |
| Brynn | Haha | 08:48:43 |
| James | Also secrets themselves wont be visible except when first generated | 08:49:20 |
| James | Let me show you why, one sec | 08:49:50 |
| James | https://datatracker.ietf.org/doc/html/rfc6819#section-5.1.4.1.3 | 08:50:39 |
| James | With the exception of I think one element, which is the client_secret_jwt client authentication method, end goal is client secrets will be hashed and encrypted | 08:51:33 |
| James | So there'd need to be a "rotate secret" or "regenerate secret" option. | 08:52:25 |
| Brynn | Yup. Understood. Will there be the option to allow manual entry of a secret at the time of client creation? What about length for auto generation? Always max length?(100char iirc) | 08:53:08 |
| James | I'm kind of undecided about that, I am leaning towards "that's an advanced use case" and we only give an option for the charset and a length between 40-100 characters for both the client id and secret. If they want to do something more manual maybe we give that option via CLI, but I'm still undecided so can swing my opinion either way | 08:55:54 |
| Brynn changed their display name from crowley723 to Brynn. | 08:55:56 |
| Brynn | Ok. I was thinking for some of the things that may introduce vulnerabilities like manual entry of secrets we put it behind "this is an advanced feature and requires reauthentication" or similar | 08:57:52 |
| James | If the user was viewing a client the id and probably redirect URIs would probably be hidden with the ID having a "show me" eye, and the redirect URIs being shown by some other good UX means. | 08:58:07 |
| Brynn | "Are you really sure you understand why you are doing this" | 08:58:35 |
| James | Yeah makes sense | 08:58:46 |
| Brynn | In reply to @james:authelia.com
If the user was viewing a client the id and probably redirect URIs would probably be hidden with the ID having a "show me" eye, and the redirect URIs being shown by some other good UX means. Yeah, the name visible and drop-down/expansion shows other fields hidden until reauth and reveal button | 08:59:41 |
| James | Yep, and those settings are the most security sensitive. So if they were a separate request to obtain them it makes for a much tighter security control over them, less chance of them being passively intercepted | 09:01:31 |
| James | Either visually or via other means | 09:01:41 |
| Brynn | I was just thinking that requiring any additional information beyond name and catagories/tags would be hidden until the user is reauthenticated. That would mean the drop-down and drop-down content would be unavailable at the time of page load. | 09:03:03 |
| Brynn | * I was just thinking that showing any additional information beyond name and catagories/tags would be hidden until the user is reauthenticated. That would mean the drop-down and drop-down content would be unavailable at the time of page load. | 09:03:17 |
| James | I like the idea, I feel like it may end up easier and harder to get wrong to just make accessing the entire admin UI at all requires a reauth. | 09:05:59 |
| James | * I like the idea, I feel like it may end up easier to implement and harder to get wrong to just make accessing the entire admin UI at all requires a reauth. | 09:06:11 |
| Brynn | Fair enough. Take a page from the zero trust book and timeout escalated admins after a configurable amount of time. | 09:07:19 |
| James | Yeah similar to how we did it for the settings UI but make it global. | 09:07:43 |
| James | user settings | 09:07:55 |
| Brynn | I didn't notice, does the user settings time you out? | 09:08:18 |
| James | I'm not fixed on either approach, I just know I had to fight a bit with react to get that to work right | 09:08:23 |
| James | Yeah it does | 09:08:32 |
| James | https://www.authelia.com/configuration/identity-validation/elevated-session/#elevation_lifespan | 09:09:08 |
