-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No Ability to override access token expiration #211
Comments
If you're using the default session, any previous value should not be overriden, see this line |
I'm using the openid.DefaultSession which has the same logic. maybe that line should be.... then it would check for an existing expiresAt value?? |
Right, here's what I missed: You need to set the expiry of the session after calling |
Thanks, I was able to work around the problem with your suggestion. It would be helpful to document somewhere how expiry setting should work... I am setting this in the session on the initial /authorize handler, but it seems this could also be set in the /token handler, both take sessions by the fosite handlers and persisted. I'm not sure which is more standard or will be better supported. |
This commit fixes an issue where the the various flows would override previously set expiration times unconditionally. closes ory#211
@arekkas I started a branch fixing this issue: master...kujenga:no-override-token-expiration Do you have advice on how to test this, and what a good location would be to better document the behavior? |
Nice, that looks good. Most of those flows have tests where the behaviour is checked quite thorougly, you could probably add another test case (or two) with expected in/outputs (e.g. input with time / expect output with same time, input without time / expect output with default time) |
Regarding docs, maybe we could add an "FAQ", "Gotchas", or "Knowledge Base" section to the readme? |
Two additional things for FAQ would be:
|
It seems the config AccessTokenLifespan is always set for access_token expiration, although I can override refresh token expiration using the session. Whatever is set in the session ExpiresAt gets overwritten with the following line, so it seems we can't customize access_token length? It seems removing the second line would open up more options to customize per client, etc.
flow_authorize_code_token.go: Line 69
request.GetSession().SetExpiresAt(fosite.AccessToken, time.Now().Add(c.AccessTokenLifespan))
The text was updated successfully, but these errors were encountered: