MEDIUM M30: OAuth Configuration P3

Partial Compare Branch

Overview

Configures OpenShift OAuth server token policies to enforce session timeouts and token expiration. Reduces the risk of session hijacking by limiting how long OAuth tokens remain valid.

Profile: NIST 800-53 Moderate (ocp4-moderate)

Status: Partial — oauth-or-oauthclient-inactivity-timeout passes with the MachineConfig. oauth-or-oauthclient-token-maxage is a platform-level OAuth configuration that requires an OAuth CR patch, not a MachineConfig.

Compliance Checks

Check Description Status
oauth-or-oauthclient-inactivity-timeout Set OAuth client inactivity timeout PASS
oauth-or-oauthclient-token-maxage Set OAuth access token maximum age FAIL (platform config)

Remediation for token-maxage

This check requires patching the OAuth cluster resource directly:

oc patch oauth cluster --type merge -p '{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds":28800}}}'

This is a platform-level change, not deployable via MachineConfig.

Verification

oc get oauth cluster -o jsonpath='{.spec.tokenConfig}'
← M29 All Groups L1 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only