Add max age to oidc mfa settings.

gravitational · Oct 7, 2024 · 2b3c6d0 · 2b3c6d0
1 parent 805eb8e
commit 2b3c6d0
Show file tree

Hide file tree

Showing 2 changed files with 1,029 additions and 993 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -4588,6 +4588,10 @@ message OIDCConnectorMFASettings {
   // Prompt is an optional OIDC prompt. An empty string omits prompt.
   // If not specified, it defaults to select_account for backwards compatibility.
   string prompt = 5;
+  // MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to
+  // 0 to always force re-authentication for MFA checks. This should only be set to a non-zero
+  // value if the IdP is setup to perform MFA checks on top of active user sessions.
+  int64 max_age = 6 [(gogoproto.casttype) = "Duration"];
 }
 
 // OIDCAuthRequest is a request to authenticate with OIDC