Skip to content

OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
benba opened this issue Jun 17, 2020 · 4 comments
Closed

OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702

benba opened this issue Jun 17, 2020 · 4 comments
Assignees
@benba
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.4.0-M2

Comments

@benba
Copy link
Contributor

benba commented Jun 17, 2020

Describe the bug
OAuth2AccessTokenResponse doesn't use values provided to expiresIn() method when it was originally built from a previous response (through the withResponse() method).

Expected behavior
The newly created token response should update expiresAt using the value the provided to expiresIn(), or maybe throw an exception if keeping the original expiresAt value is done on purpose.

Sample

@Test
public void test() {
    var sourceTokenResponse = OAuth2AccessTokenResponse.withToken("abcd")
            .tokenType(OAuth2AccessToken.TokenType.BEARER)
            .expiresIn(10)
            .build();
    var modifiedTokenResponse = OAuth2AccessTokenResponse
            .withResponse(sourceTokenResponse)
            .expiresIn(60)
            .build();
    Assertions.assertEquals(
            modifiedTokenResponse.getAccessToken().getIssuedAt().plusSeconds(60),
            modifiedTokenResponse.getAccessToken().getExpiresAt());
}

Note
May be linked to #8696 ?
@benba benba added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 17, 2020
@jgrandja
Copy link
Contributor

@benba It doesn't make sense to call OAuth2AccessTokenResponse.withResponse(sourceTokenResponse).expiresIn(60), since the supplied sourceTokenResponse provides the expiresAt. If you want to explicitly configure expiresIn() then call OAuth2AccessTokenResponse.withToken() instead.

@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 22, 2020
@benba
Copy link
Contributor Author

benba commented Jun 22, 2020
edited
Loading

@jgrandja sure, it's just that you need to copy all the entries manually:

OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
                .tokenType(accessToken.getTokenType())
                .scopes(accessToken.getScopes())
                .expiresIn(Duration.ofDays(1).toSeconds())
                .refreshToken(original.getRefreshToken().getTokenValue())
                .additionalParameters(original.getAdditionalParameters())
                .build();

Maybe I understand this wrong but I thought of the withResponse()or withToken() as a way to copy values from a response or a token to the Builder, and then being able to change them.
Anyway, why not throwing an exception if expiresIn() is called while expiresAtis already set, instead of silently ignoring the error?

@jgrandja jgrandja added status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement and removed status: invalid An issue that we don't feel is valid labels Jun 25, 2020
@jgrandja jgrandja reopened this Jun 25, 2020
@jgrandja
Copy link
Contributor

@benba I see your point...

why not throwing an exception if expiresIn() is called while expiresAt is already set, instead of silently ignoring the error?

However, throwing an exception would be too much I think. How about setting this.expiresAt = null when expiresIn() is called? Would you be interested in submitting a PR for this?

@jgrandja jgrandja added this to the 5.4.x milestone Jun 25, 2020
@jgrandja jgrandja removed their assignment Jun 25, 2020
@benba benba mentioned this issue Jun 26, 2020
Closed
@benba
Copy link
Contributor Author

benba commented Jun 26, 2020

@jgrandja PR submitted

benba added a commit to benba/spring-security that referenced this issue Jun 26, 2020
@benba
OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse
756c34b 
Closes spring-projectsgh-8702
@jgrandja jgrandja changed the title OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from antoher reponse OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response Jun 30, 2020
@jgrandja jgrandja removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Jun 30, 2020
@jgrandja jgrandja modified the milestones: 5.4.x, 5.4.0-M2 Jun 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benba benba

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M2
Development

Successfully merging a pull request may close this issue.

OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse benba/spring-security
2 participants
@benba @jgrandja