forked from mystiq/dex
Merge pull request #671 from ericchiang/fix-server-time-bug
server: use seconds instead of nano seconds for expires_in and expiry
This commit is contained in:
commit
5302fefdfb
2 changed files with 39 additions and 2 deletions
|
@ -439,7 +439,7 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
|
|||
v.Set("token_type", "bearer")
|
||||
v.Set("id_token", idToken)
|
||||
v.Set("state", authReq.State)
|
||||
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()))))
|
||||
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()).Seconds())))
|
||||
u.Fragment = v.Encode()
|
||||
}
|
||||
}
|
||||
|
@ -637,7 +637,7 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, idToken, refreshToken s
|
|||
}{
|
||||
storage.NewID(),
|
||||
"bearer",
|
||||
int(expiry.Sub(s.now())),
|
||||
int(expiry.Sub(s.now()).Seconds()),
|
||||
refreshToken,
|
||||
idToken,
|
||||
}
|
||||
|
|
|
@ -137,6 +137,18 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
|||
clientSecret := "testclientsecret"
|
||||
requestedScopes := []string{oidc.ScopeOpenID, "email", "offline_access"}
|
||||
|
||||
t0 := time.Now().Round(time.Second)
|
||||
|
||||
// Always have the time function used by the server return the same time so
|
||||
// we can predict expected values of "expires_in" fields exactly.
|
||||
now := func() time.Time { return t0 }
|
||||
|
||||
// Used later when configuring test servers to set how long id_tokens will be valid for.
|
||||
//
|
||||
// The actual value of 30s is completely arbitrary. We just need to set a value
|
||||
// so tests can compute the expected "expires_in" field.
|
||||
idTokensValidFor := time.Second * 30
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token) error
|
||||
|
@ -154,6 +166,29 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
|||
return nil
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "verify id token and oauth2 token expiry",
|
||||
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
|
||||
expectedExpiry := now().Add(idTokensValidFor)
|
||||
|
||||
if !token.Expiry.Round(time.Second).Equal(expectedExpiry) {
|
||||
return fmt.Errorf("expected expired_in to be %s, got %s", expectedExpiry, token.Expiry)
|
||||
}
|
||||
|
||||
rawIDToken, ok := token.Extra("id_token").(string)
|
||||
if !ok {
|
||||
return fmt.Errorf("no id token found")
|
||||
}
|
||||
idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to verify id token: %v", err)
|
||||
}
|
||||
if !idToken.Expiry.Round(time.Second).Equal(expectedExpiry) {
|
||||
return fmt.Errorf("expected id token expiry to be %s, got %s", expectedExpiry, token.Expiry)
|
||||
}
|
||||
return nil
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "refresh token",
|
||||
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
|
||||
|
@ -259,6 +294,8 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
|||
|
||||
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
||||
c.Issuer = c.Issuer + "/non-root-path"
|
||||
c.Now = now
|
||||
c.IDTokensValidFor = idTokensValidFor
|
||||
})
|
||||
defer httpServer.Close()
|
||||
|
||||
|
|
Loading…
Reference in a new issue