Hydra refresh token TTL 설정 경로 정리

2026-06-15 14:18:56 +09:00
parent 3cdb7ce19f
commit bfd9cab260
6 changed files with 10 additions and 4 deletions
--- a/.env.sample
+++ b/.env.sample
@@ -146,6 +146,8 @@ HYDRA_PUBLIC_URL=${OATHKEEPER_PUBLIC_URL}/oidc
 # HYDRA_LOGIN_URL=https://sso.hmac.kr/login
 # HYDRA_CONSENT_URL=https://sso.hmac.kr/consent
 # HYDRA_ERROR_URL=https://sso.hmac.kr/error
+# Refresh Token 만료시각 source of truth (Hydra + backend ID Token rt_expires_at claim)
+HYDRA_REFRESH_TOKEN_TTL=720h

 # Kratos allowed_return_urls 확장 목록 (콤마 구분, 선택)
 # 기본값은 KRATOS_UI_URL, USERFRONT_URL, 각 callback URL을 자동 포함합니다.
@@ -183,4 +185,3 @@ VITE_ORGCHART_URL=

 # promtail에서 로그를 전송받을 Loki 서버 엔드포인트 URL
 LOKI_URL=http://loki:3100/loki/api/v1/push
-
--- a/.gitea/workflows/production_release.yml
+++ b/.gitea/workflows/production_release.yml
@@ -124,6 +124,7 @@ jobs:
            "ORGFRONT_URL=${{ vars.ORGFRONT_URL }}" \
            "BACKEND_URL=${{ vars.PROD_BACKEND_URL }}" \
            "VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}" \
+            "HYDRA_REFRESH_TOKEN_TTL=${{ vars.HYDRA_REFRESH_TOKEN_TTL }}" \
            "ADMINFRONT_CALLBACK_URLS=${{ vars.ADMINFRONT_CALLBACK_URLS }}" \
            "DEVFRONT_CALLBACK_URLS=${{ vars.DEVFRONT_CALLBACK_URLS }}" \
            "ORGFRONT_CALLBACK_URLS=${{ vars.ORGFRONT_CALLBACK_URLS }}" \
@@ -135,7 +136,7 @@ jobs:
          DB_USER DB_PASSWORD DB_NAME COOKIE_SECRET JWT_SECRET REDIS_ADDR
          NAVER_CLOUD_ACCESS_KEY NAVER_CLOUD_SECRET_KEY NAVER_CLOUD_SERVICE_ID NAVER_SENDER_PHONE_NUMBER
          AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SES_SENDER
-          USERFRONT_URL ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL BACKEND_URL VITE_OIDC_AUTHORITY
+          USERFRONT_URL ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL BACKEND_URL VITE_OIDC_AUTHORITY HYDRA_REFRESH_TOKEN_TTL
          ADMINFRONT_CALLBACK_URLS DEVFRONT_CALLBACK_URLS ORGFRONT_CALLBACK_URLS
          "
          for key in ${required_dotenv_keys}; do
--- a/.gitea/workflows/staging_code_pull.yml
+++ b/.gitea/workflows/staging_code_pull.yml
@@ -116,6 +116,7 @@ jobs:
                  KRATOS_UI_URL=${{ vars.KRATOS_UI_URL }}
                  HYDRA_ADMIN_URL=${{ vars.HYDRA_ADMIN_URL }}
                  HYDRA_PUBLIC_URL=${{ vars.HYDRA_PUBLIC_URL }}
+                  HYDRA_REFRESH_TOKEN_TTL=${{ vars.HYDRA_REFRESH_TOKEN_TTL }}
                  JWKS_URL=${{ vars.JWKS_URL }}
                  OATHKEEPER_VERSION=${{ vars.OATHKEEPER_VERSION }}
                  OATHKEEPER_UID=${{ vars.OATHKEEPER_UID }}
--- a/.gitea/workflows/staging_release.yml
+++ b/.gitea/workflows/staging_release.yml
@@ -124,6 +124,7 @@ jobs:
          KRATOS_UI_URL=${{ vars.KRATOS_UI_URL }}
          HYDRA_ADMIN_URL=${{ vars.HYDRA_ADMIN_URL }}
          HYDRA_PUBLIC_URL=${{ vars.HYDRA_PUBLIC_URL }}
+          HYDRA_REFRESH_TOKEN_TTL=${{ vars.HYDRA_REFRESH_TOKEN_TTL }}
          JWKS_URL=${{ vars.JWKS_URL }}
          OATHKEEPER_VERSION=${{ vars.OATHKEEPER_VERSION }}
          OATHKEEPER_UID=${{ vars.OATHKEEPER_UID }}
@@ -158,7 +159,7 @@ jobs:
          USERFRONT_URL ORGFRONT_URL BACKEND_PUBLIC_URL BACKEND_URL OATHKEEPER_PUBLIC_URL
          ORY_POSTGRES_TAG ORY_POSTGRES_USER ORY_POSTGRES_PASSWORD ORY_POSTGRES_DB KRATOS_DB HYDRA_DB KETO_DB
          KRATOS_VERSION KRATOS_UI_NODE_VERSION HYDRA_VERSION KETO_VERSION ORY_SDK_URL KRATOS_PUBLIC_URL
-          KRATOS_ADMIN_URL KRATOS_BROWSER_URL KRATOS_UI_URL HYDRA_ADMIN_URL HYDRA_PUBLIC_URL JWKS_URL
+          KRATOS_ADMIN_URL KRATOS_BROWSER_URL KRATOS_UI_URL HYDRA_ADMIN_URL HYDRA_PUBLIC_URL HYDRA_REFRESH_TOKEN_TTL JWKS_URL
          OATHKEEPER_VERSION OATHKEEPER_UID OATHKEEPER_GID OATHKEEPER_HEALTH_URL OATHKEEPER_HEALTH_INTERVAL_SECONDS
          OATHKEEPER_HEALTH_TIMEOUT_SECONDS OATHKEEPER_HEALTH_ENABLED CSRF_COOKIE_NAME CSRF_COOKIE_SECRET
          VITE_OIDC_AUTHORITY ADMINFRONT_CALLBACK_URLS DEVFRONT_CALLBACK_URLS ORGFRONT_CALLBACK_URLS
--- a/docker/ory/hydra/hydra.yml.template
+++ b/docker/ory/hydra/hydra.yml.template
@@ -96,3 +96,4 @@ oidc:
 ttl:
    access_token: 15m
    id_token: 15m
+    refresh_token: ${HYDRA_REFRESH_TOKEN_TTL}
--- a/scripts/render_ory_config.sh
+++ b/scripts/render_ory_config.sh
@@ -183,10 +183,11 @@ KRATOS_DSN="${KRATOS_DSN:-postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWOR
 HYDRA_DSN="${HYDRA_DSN:-postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB}?sslmode=disable&max_conns=20}"
 KETO_DSN="${KETO_DSN:-postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB}?sslmode=disable&max_conns=20}"
 HYDRA_SYSTEM_SECRET="${HYDRA_SYSTEM_SECRET:-${SECRETS_SYSTEM:-${ORY_POSTGRES_PASSWORD}}}"
+HYDRA_REFRESH_TOKEN_TTL="${HYDRA_REFRESH_TOKEN_TTL:-720h}"
 OATHKEEPER_INTROSPECT_CLIENT_ID="${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}"
 OATHKEEPER_INTROSPECT_CLIENT_SECRET="${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}"

-export KRATOS_DSN HYDRA_DSN KETO_DSN HYDRA_SYSTEM_SECRET
+export KRATOS_DSN HYDRA_DSN KETO_DSN HYDRA_SYSTEM_SECRET HYDRA_REFRESH_TOKEN_TTL
 export OATHKEEPER_INTROSPECT_CLIENT_ID OATHKEEPER_INTROSPECT_CLIENT_SECRET

 resolve_kratos_session_cookie_domain