Skip to content

OAuth2AccessTokenResponse.Builder does not set expiresAt from refresh token #8696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MatCuk opened this issue Jun 16, 2020 · 4 comments
Closed

OAuth2AccessTokenResponse.Builder does not set expiresAt from refresh token #8696

MatCuk opened this issue Jun 16, 2020 · 4 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid

Comments

@MatCuk
Copy link

MatCuk commented Jun 16, 2020

Describe the bug
OAuth2RefreshToken always sets expiresAt to null
https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2RefreshToken.java

To Reproduce
Have refresh token with "exp" field set.

Expected behavior
org.springframework.security.oauth2.core.OAuth2RefreshToken should have expiresAt set from JWT.

Sample
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXRjdWsiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYXRpIjoiZDcyMzgxNDUtMDIzZS00ZWMzLTk0MDItMzAyMDVjM2JlNGJjIiwiZXhwIjoxNTkyMzU2OTAzLCJqdGkiOiI1OTcxZWI3ZS1kOTYyLTRiZmMtODJmYS1kZDYyZTc2NjQ3ZGEifQ.QgQYBkOdkxzuulo9Ka0k9GlRRCXxY1WCTY52zF9Geg0

{ "user_name": "matcuk", "scope": [ "read", "write" ], "ati": "d7238145-023e-4ec3-9402-30205c3be4bc", "exp": 1592356903, "jti": "5971eb7e-d962-4bfc-82fa-dd62e76647da" }

So to me it looks like exp field is ignored in case of refresh token.

Note that access token would have different expiresAt (5 minutes vs 12 hours).
@MatCuk MatCuk added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 16, 2020
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 16, 2020
@benba benba mentioned this issue Jun 17, 2020
Closed
@jgrandja
Copy link
Contributor

jgrandja commented Jun 22, 2020
edited
Loading

@MatCuk

As per spec, in Section 5.1. Successful Response, the expires_in parameter is the lifetime in seconds for the access token. There is no equivalent for expires_in for refresh_token.

I'm going to close this as "implemented per spec".

@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Jun 22, 2020
@MatCuk
Copy link
Author

MatCuk commented Jun 23, 2020

Hi, ok thanks for reply. Then it seems the app is setting expires at to refresh token and rejecting it after that even it should not. Is there any simple way to handle this on client side? Like to evict refresh token. Implement custom ReactiveClientRegistrationRepository ?

@jgrandja
Copy link
Contributor

jgrandja commented Jun 25, 2020
edited
Loading

@MatCuk I don't fully understand...

it seems the app is setting expires at to refresh token and rejecting it after that even it should not

Can you put together a minimal sample that reproduces the issue so I can better understand the issue you are facing?

@windmueller
Copy link

@jgrandja I am a bit confused here. Expiration support for refresh tokens has been added with #9146. However, OAuth2AccessTokenResponse still sets the expiration date to null.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@windmueller @jzheaux @MatCuk @jgrandja