Merge pull request #671 from ericchiang/fix-server-time-bug

server: use seconds instead of nano seconds for expires_in and expiry
This commit is contained in:
Eric Chiang 2016-11-05 07:56:06 -07:00 committed by GitHub
commit 5302fefdfb
2 changed files with 39 additions and 2 deletions

View file

@ -439,7 +439,7 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
v.Set("token_type", "bearer")
v.Set("id_token", idToken)
v.Set("state", authReq.State)
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()))))
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()).Seconds())))
u.Fragment = v.Encode()
}
}
@ -637,7 +637,7 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, idToken, refreshToken s
}{
storage.NewID(),
"bearer",
int(expiry.Sub(s.now())),
int(expiry.Sub(s.now()).Seconds()),
refreshToken,
idToken,
}

View file

@ -137,6 +137,18 @@ func TestOAuth2CodeFlow(t *testing.T) {
clientSecret := "testclientsecret"
requestedScopes := []string{oidc.ScopeOpenID, "email", "offline_access"}
t0 := time.Now().Round(time.Second)
// Always have the time function used by the server return the same time so
// we can predict expected values of "expires_in" fields exactly.
now := func() time.Time { return t0 }
// Used later when configuring test servers to set how long id_tokens will be valid for.
//
// The actual value of 30s is completely arbitrary. We just need to set a value
// so tests can compute the expected "expires_in" field.
idTokensValidFor := time.Second * 30
tests := []struct {
name string
handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token) error
@ -154,6 +166,29 @@ func TestOAuth2CodeFlow(t *testing.T) {
return nil
},
},
{
name: "verify id token and oauth2 token expiry",
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
expectedExpiry := now().Add(idTokensValidFor)
if !token.Expiry.Round(time.Second).Equal(expectedExpiry) {
return fmt.Errorf("expected expired_in to be %s, got %s", expectedExpiry, token.Expiry)
}
rawIDToken, ok := token.Extra("id_token").(string)
if !ok {
return fmt.Errorf("no id token found")
}
idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
if err != nil {
return fmt.Errorf("failed to verify id token: %v", err)
}
if !idToken.Expiry.Round(time.Second).Equal(expectedExpiry) {
return fmt.Errorf("expected id token expiry to be %s, got %s", expectedExpiry, token.Expiry)
}
return nil
},
},
{
name: "refresh token",
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
@ -259,6 +294,8 @@ func TestOAuth2CodeFlow(t *testing.T) {
httpServer, s := newTestServer(ctx, t, func(c *Config) {
c.Issuer = c.Issuer + "/non-root-path"
c.Now = now
c.IDTokensValidFor = idTokensValidFor
})
defer httpServer.Close()