Login and Authentication Security
Brute Force Password Attack
In order to prevent brute force password guessing, we have implemented a standard protection configuration of login attempts and lockout periods.
If a user exceeds the maximum number of login attempts on a specific account, the account will be locked for a specified period of time. This feature is disabled by default, but can be enabled and configured in the custom-values.yaml file.
user-mgmt-service:
config:
LoginMaxAttempts: 5
LoginLockWindowMin: 15- LoginMaxAttempts
-
The maximum number of login attempts allowed before the account is locked.
- LoginLockWindowMin
-
The duration (in minutes) for which the account is locked after exceeding the maximum number of login attempts.
|
Redis Storage for Session Cookies
In order to prevent cookie hijacking, we implemented a configuration to allow oauth2-proxy to use a Redis cache for session cookie validation. If this feature is enabled, a validated user’s cookie is only valid while they are logged in. Once logged out, the cookie is no longer valid. This will prevent hijackers from reusing a once-validated cookie.
This feature is disabled by default, but can be enabled and configured in the custom-values.yaml file.
To use the default setup, add the following to custom-values.yaml:
kfuse-auth:
oauth2-proxy:
redisSessionStorage:
enabled: trueIf you want more customization, you can set additional settings.
|
kfuse-auth:
oauth2-proxy:
redisSessionStorage:
enabled: true
sentinelEnabled: true
redisName: "mymaster"
redisConnectionUrl: "redis://kfuse-redis:26379"For more information on the configuration options, see the oauth2-proxy documentation.
