Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No Ability to override access token expiration #211

Open
kgoto1 opened this issue Aug 24, 2017 · 8 comments
Open

No Ability to override access token expiration #211

kgoto1 opened this issue Aug 24, 2017 · 8 comments
Labels
bug Something is not working.

Comments

@kgoto1
Copy link

kgoto1 commented Aug 24, 2017

It seems the config AccessTokenLifespan is always set for access_token expiration, although I can override refresh token expiration using the session. Whatever is set in the session ExpiresAt gets overwritten with the following line, so it seems we can't customize access_token length? It seems removing the second line would open up more options to customize per client, etc.

flow_authorize_code_token.go: Line 69
request.GetSession().SetExpiresAt(fosite.AccessToken, time.Now().Add(c.AccessTokenLifespan))

@aeneasr
Copy link
Member

aeneasr commented Aug 25, 2017

If you're using the default session, any previous value should not be overriden, see this line

@kgoto1
Copy link
Author

kgoto1 commented Aug 27, 2017

I'm using the openid.DefaultSession which has the same logic.
Hmm, but maybe I am not understanding this line.
https://github.com/ory/fosite/blob/master/handler/oauth2/flow_authorize_code_token.go#L64
It seems to always set expiresAt to c.AccessTokenLifespan, which you define once per provider instance.

maybe that line should be....
request.GetSession().SetExpiresAt**(getExpiresAt(authorizeRequest, fosite.AccessToken,
c.AccessTokenLifespan, time.Now()))**

then it would check for an existing expiresAt value??
edit: Actually... that line should just be removed, since the previous line is... :)
request.SetSession(authorizeRequest.GetSession())

@aeneasr
Copy link
Member

aeneasr commented Aug 28, 2017

Right, here's what I missed: You need to set the expiry of the session after calling NewAccessRequest(ctx context.Context, req *http.Request, session Session) (AccessRequester, error), not before - otherwise it get's overwritten. This is of course not ideal and the setter should only set the value if no previous value exists. Putting the expiry after NewAccessRequest should "hotfix" that though.

@aeneasr aeneasr added the bug Something is not working. label Aug 28, 2017
@kgoto1
Copy link
Author

kgoto1 commented Aug 29, 2017

Thanks, I was able to work around the problem with your suggestion. It would be helpful to document somewhere how expiry setting should work... I am setting this in the session on the initial /authorize handler, but it seems this could also be set in the /token handler, both take sessions by the fosite handlers and persisted. I'm not sure which is more standard or will be better supported.

kujenga added a commit to kujenga/fosite that referenced this issue Nov 15, 2017
This commit fixes an issue where the the various flows would override
previously set expiration times unconditionally.

closes ory#211
@kujenga
Copy link
Contributor

kujenga commented Nov 15, 2017

@arekkas I started a branch fixing this issue: master...kujenga:no-override-token-expiration

Do you have advice on how to test this, and what a good location would be to better document the behavior?

@aeneasr
Copy link
Member

aeneasr commented Nov 16, 2017

Nice, that looks good. Most of those flows have tests where the behaviour is checked quite thorougly, you could probably add another test case (or two) with expected in/outputs (e.g. input with time / expect output with same time, input without time / expect output with default time)

@aeneasr
Copy link
Member

aeneasr commented Nov 16, 2017

Regarding docs, maybe we could add an "FAQ", "Gotchas", or "Knowledge Base" section to the readme?

@mitar
Copy link
Contributor

mitar commented Apr 2, 2020

Two additional things for FAQ would be:

  • How to handle audiences.
  • That if you forget to call ar.GrantScope(scope) in your authorization endpoint for at least openid, OpenID breaks in very cryptic ways across various flows (some succeed, but do not return ID token, some say no handler was able to process the request, etc.).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

4 participants