"It’s a common refrain these days — just search Google for 'Apple is too dependent on the iPhone'.
Arguing that Apple is in trouble because the iPhone is so popular is like arguing that the ’90s-era Chicago Bulls were in trouble because Michael Jordan was so good."- John Gruber, Daring Fireball
1. The best way to troubleshoot a problem is to give a dumb solution on the Internet. You will be flooded with corrections.
2. DevOps are promoted according to their level of ability. Once they reach a position they're not capable of handling, they won't be promoted any more. But they will stay in the position they can't handle.
3. There is no security encryption scheme that doesn't have a way to be hacked.
4. Code reviews are very good at helping make buggy code more readable. So they got that going for them.
5. The probability of being called an idiot varies directly with the number of comments posted in a discussion.
There are two things to set:
And then you can also set:
# (Optional) # Interval in seconds after which the session will be invalidated when no interaction has occurred. # When not defined, the default is 300 seconds. OIDCSessionInactivityTimeout 3600
And then you can also set:
# (Optional) # Maximum duration of the application session # When not defined the default is 8 hours (3600 * 8 seconds). # When set to 0, the session duration will be set equal to the expiry time of the ID token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration OIDCSessionMaxDuration 24000
Suppose you are using the apache mod auth_openidc_module for your openID Connect authentication. Be careful how you set up your location directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback OIDCCryptoPassphrase <password> OIDCScope "openid email" <location> AuthType openid-connect require valid-user Require claim hd:YOURDOMAIN.com Allow from SOME IP ADDRESS Satisfy any </location>This part of the conf file is supposed to mean that you are using authentication via openID Connect at the top level of the website. It also whitelists requests from a specific IP address, which allows them to bypass openID. But it won't work this way. You'll find that the Satisfy Any suddenly allows you access from any IP Address without authentication. The solution is to have a default DENY directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback OIDCCryptoPassphrase <password> OIDCScope "openid email" <location> Order deny,allow Deny from all AuthType openid-connect require valid-user Require claim hd:YOURDOMAIN.com Allow from SOME IP ADDRESS Satisfy any </location>