Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expiration time on oauth acess_token is incorrect #1089

Closed
t1tcrucible opened this issue Mar 21, 2016 · 3 comments
Closed

Expiration time on oauth acess_token is incorrect #1089

t1tcrucible opened this issue Mar 21, 2016 · 3 comments
Assignees
@subnetmarco
Labels
plugins/oauth2 task/bug

Comments

@t1tcrucible
Copy link

We have defined an oauth2 policy for an API:
{
"api_id": "2a47bd39-59dd-4a5c-918a-e3fd8ab99c40",
"id": "42f54ebf-d772-4617-ad18-2e9bdfbe1010",
"created_at": 1458555035000,
"enabled": true,
"name": "oauth2",
"config": {
"mandatory_scope": true,
"token_expiration": 7200,
"enable_implicit_grant": true,
"scopes": [
"basic",
"extended",
"full"
],
"hide_credentials": false,
"enable_password_grant": false,
"accept_http_if_already_terminated": false,
"provision_key": "2c731c2439da46a5961ba7c0ed6b4ae1",
"enable_client_credentials": false,
"enable_authorization_code": true
}
},

The default expiration_time applies.
Later when we grant a user, using implicit grant, the access_token never expires. When we verify this (on the http://konggateway:8001/oauth2_tokens) we see:

{
  "scope": "basic extended full",
  "access_token": "9a0e511ceae94d6889ef2cfa4710377e",
  "authenticated_userid": "[email protected]",
  "id": "f3f493fd-a793-44ef-9efe-08c0c1ae6670",
  "token_type": "bearer",
  "credential_id": "948d1c0c-caab-4833-a809-9406690b76cf",
  "created_at": 1458568850000,
  "expires_in": 0
},

When we look in the source code:
(in access.lua, oauth2 plugin)
-- TODO: Expire token (using TTL ?)
local function generate_token(conf, credential, authenticated_userid, scope, state, expiration, disable_refresh)
local token_expiration = expiration or conf.token_expiration

local token, err = dao.oauth2_tokens:insert({
credential_id = credential.id,
authenticated_userid = authenticated_userid,
expires_in = token_expiration,
scope = scope
})

Should it work? I notice that 'expires_in = token_expiration', and in our case it's 0 even if we added 7200 as default to the Oauth2 policy on the API.

thank you in advance
@t1tcrucible
Copy link
Author

Some additional info, in the RFC for OAuth2 - implicit grant:
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
Can we assume the expiration time is always 0 for this profile?

@subnetmarco subnetmarco self-assigned this Mar 21, 2016
@subnetmarco subnetmarco mentioned this issue Mar 22, 2016
Merged
subnetmarco added a commit that referenced this issue Mar 22, 2016
@subnetmarco
Closes #1089
063b71b
subnetmarco added a commit that referenced this issue Mar 22, 2016
@subnetmarco
Merge pull request #1092 from Mashape/fix/oauth2-exptime
55bd864 
Closes #1089
@subnetmarco
Copy link
Member

This was a bug and has been closed. Expect the fix to be shipped in the next release.

@t1tcrucible
Copy link
Author

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@subnetmarco subnetmarco

Labels
plugins/oauth2 task/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@subnetmarco @bungle @thibaultcha @t1tcrucible