The Wayback Machine - https://web.archive.org/web/20200918105912/https://github.com/ory/fosite/pull/334
Skip to content

/ fosite

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

do omit exp if ExpiresAt is zero value #334

Merged
merged 2 commits into from Nov 12, 2018
Merged

do omit exp if ExpiresAt is zero value #334

merged 2 commits into from Nov 12, 2018

Conversation

@nerocrux
Copy link
Contributor

nerocrux commented Nov 9, 2018
edited

Related issue

  • None

Proposed changes

  • Make sure exp will be omitted if GetExpiresAt(AccessToken) is nil or zero value (no expiration)
  • Currently, even if GetExpiresAt(AccessToken) is zero value, Unix() will be called, and ExpiresAt will be set to -62135596800 because golang's zero time is 0001-01-01T00:00:00Z but not 1970-01-01T00:00:00Z

Checklist

  • I have read the contributing guidelines
  • I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
    vulnerability, I confirm that I got green light (please contact hi@ory.sh) from the maintainers to push the changes.
  • I signed the Developer's Certificate of Origin
    by signing my commit(s). You can amend your signature to the most recent commit by using git commit --amend -s. If you
    amend the commit, you might need to force push using git push --force HEAD:<branch>. Please be very careful when using
    force push.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

Further comments

  • Currently, even if we introspect RefreshToken, AccessToken's ExpiresAt will be return in exp. Not sure if this is corrent. Maybe it's better to always omit exp field if we introspect RefreshToken, because there is no expiration time for RefreshToken.
  • If omit exp for introspect RefreshToken is good, I will fire another PR.

Thank you!
@nerocrux
do omit exp if ExpiresAt is zero value
Unverified
This user has not uploaded their public key yet.
GPG key ID: B485B0A4480907CB Learn about signing commits
Loading status checks…
72ccfe3 
Signed-off-by: nerocrux <nerocrux@gmail.com>
@aeneasr
Copy link
Member

aeneasr commented Nov 9, 2018

Currently, even if we introspect RefreshToken, AccessToken's ExpiresAt will be return in exp. Not sure if this is corrent. Maybe it's better to always omit exp field if we introspect RefreshToken, because there is no expiration time for RefreshToken.

Due to community feedback, I think it would make sense to have refresh tokens expire optionally. Basically you would be able to set a lifespan, but if none is set the refresh token expires after that time. I think the endpoint should still be able to omit the expiry if it's not set!
@aeneasr
aeneasr reviewed Nov 9, 2018
View changes
introspection_response_writer.go
@@ -202,6 +202,11 @@ func (f *Fosite) WriteIntrospectionResponse(rw http.ResponseWriter, r Introspect
return
}

expiresAt := int64(0)

This comment has been minimized.

Sign in to view
@aeneasr

aeneasr Nov 9, 2018 Member

Can you add a test (or modify an existing one) for this?

This comment has been minimized.

Sign in to view
@nerocrux

nerocrux Nov 9, 2018 Author Contributor

Sure, will do later.
@nerocrux nerocrux force-pushed the nerocrux:nerocrux/fix_introspect_response_exp branch from 9a7fc1d to 16d6d54 Nov 10, 2018
@nerocrux
Copy link
Contributor Author

nerocrux commented Nov 10, 2018

@aeneasr I have added some tests for this PR. Please take a look at it if you have time.

Due to community feedback, I think it would make sense to have refresh tokens expire optionally. Basically you would be able to set a lifespan, but if none is set the refresh token expires after that time. I think the endpoint should still be able to omit the expiry if it's not set!

Got it.
By the way, I'm totally agree with your opinion on refresh token's expiration here. I don't think refresh token's expiration will make our system safer, and to manage expiration time of a certain token may increase the complexity.

Have a nice weekend!
@nerocrux nerocrux force-pushed the nerocrux:nerocrux/fix_introspect_response_exp branch 2 times, most recently from fed290b to 0b92ccb Nov 10, 2018
@nerocrux
add test
Loading status checks…
10f2864 
Signed-off-by: nerocrux <nerocrux@gmail.com>
@nerocrux nerocrux force-pushed the nerocrux:nerocrux/fix_introspect_response_exp branch from 0b92ccb to 10f2864 Nov 10, 2018
@aeneasr
Copy link
Member

aeneasr commented Nov 12, 2018

Agreed, thank you for the changes!
@aeneasr aeneasr merged commit 6d50176 into ory:master Nov 12, 2018
3 checks passed
3 checks passed
DCO DCO
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage increased (+0.08%) to 85.559%
Details
budougumi0617 added a commit to budougumi0617/fosite that referenced this pull request May 10, 2019
@budougumi0617
introspect: Omit exp if ExpiresAt is zero value (ory#334)
b88eadf 
Signed-off-by: nerocrux <nerocrux@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@nerocrux @aeneasr
You can’t perform that action at this time.