MEDIUM Mixed M30: OAuth Configuration P3

Partial CNF-23454 Compare Branch Synced: 2026-05-05

Overview

Configures OpenShift OAuth server token policies to enforce session timeouts and token expiration. Reduces the risk of session hijacking by limiting how long OAuth tokens remain valid.

Profile: NIST 800-53 Moderate (ocp4-moderate)

Status: Partial — oauth-or-oauthclient-inactivity-timeout passes with the MachineConfig. oauth-or-oauthclient-token-maxage is a platform-level OAuth configuration that requires an OAuth CR patch, not a MachineConfig.

Compliance Checks

Check Description Status
oauth-or-oauthclient-inactivity-timeout Set OAuth client inactivity timeout PASS
oauth-or-oauthclient-token-maxage Set OAuth access token maximum age FAIL (platform config)

Remediation for token-maxage

This check requires patching the OAuth cluster resource directly:

oc patch oauth cluster --type merge -p '{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds":28800}}}'

This is a platform-level change, not deployable via MachineConfig.

Verification

oc get oauth cluster -o jsonpath='{.spec.tokenConfig}'
← M29 All Groups L1 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only