forked from mystiq/dex
Merge pull request #671 from ericchiang/fix-server-time-bug
server: use seconds instead of nano seconds for expires_in and expiry
This commit is contained in:
commit
5302fefdfb
2 changed files with 39 additions and 2 deletions
|
@ -439,7 +439,7 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
|
||||||
v.Set("token_type", "bearer")
|
v.Set("token_type", "bearer")
|
||||||
v.Set("id_token", idToken)
|
v.Set("id_token", idToken)
|
||||||
v.Set("state", authReq.State)
|
v.Set("state", authReq.State)
|
||||||
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()))))
|
v.Set("expires_in", strconv.Itoa(int(expiry.Sub(s.now()).Seconds())))
|
||||||
u.Fragment = v.Encode()
|
u.Fragment = v.Encode()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -637,7 +637,7 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, idToken, refreshToken s
|
||||||
}{
|
}{
|
||||||
storage.NewID(),
|
storage.NewID(),
|
||||||
"bearer",
|
"bearer",
|
||||||
int(expiry.Sub(s.now())),
|
int(expiry.Sub(s.now()).Seconds()),
|
||||||
refreshToken,
|
refreshToken,
|
||||||
idToken,
|
idToken,
|
||||||
}
|
}
|
||||||
|
|
|
@ -137,6 +137,18 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
||||||
clientSecret := "testclientsecret"
|
clientSecret := "testclientsecret"
|
||||||
requestedScopes := []string{oidc.ScopeOpenID, "email", "offline_access"}
|
requestedScopes := []string{oidc.ScopeOpenID, "email", "offline_access"}
|
||||||
|
|
||||||
|
t0 := time.Now().Round(time.Second)
|
||||||
|
|
||||||
|
// Always have the time function used by the server return the same time so
|
||||||
|
// we can predict expected values of "expires_in" fields exactly.
|
||||||
|
now := func() time.Time { return t0 }
|
||||||
|
|
||||||
|
// Used later when configuring test servers to set how long id_tokens will be valid for.
|
||||||
|
//
|
||||||
|
// The actual value of 30s is completely arbitrary. We just need to set a value
|
||||||
|
// so tests can compute the expected "expires_in" field.
|
||||||
|
idTokensValidFor := time.Second * 30
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token) error
|
handleToken func(context.Context, *oidc.Provider, *oauth2.Config, *oauth2.Token) error
|
||||||
|
@ -154,6 +166,29 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
||||||
return nil
|
return nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "verify id token and oauth2 token expiry",
|
||||||
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
|
||||||
|
expectedExpiry := now().Add(idTokensValidFor)
|
||||||
|
|
||||||
|
if !token.Expiry.Round(time.Second).Equal(expectedExpiry) {
|
||||||
|
return fmt.Errorf("expected expired_in to be %s, got %s", expectedExpiry, token.Expiry)
|
||||||
|
}
|
||||||
|
|
||||||
|
rawIDToken, ok := token.Extra("id_token").(string)
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("no id token found")
|
||||||
|
}
|
||||||
|
idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to verify id token: %v", err)
|
||||||
|
}
|
||||||
|
if !idToken.Expiry.Round(time.Second).Equal(expectedExpiry) {
|
||||||
|
return fmt.Errorf("expected id token expiry to be %s, got %s", expectedExpiry, token.Expiry)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "refresh token",
|
name: "refresh token",
|
||||||
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
|
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
|
||||||
|
@ -259,6 +294,8 @@ func TestOAuth2CodeFlow(t *testing.T) {
|
||||||
|
|
||||||
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
httpServer, s := newTestServer(ctx, t, func(c *Config) {
|
||||||
c.Issuer = c.Issuer + "/non-root-path"
|
c.Issuer = c.Issuer + "/non-root-path"
|
||||||
|
c.Now = now
|
||||||
|
c.IDTokensValidFor = idTokensValidFor
|
||||||
})
|
})
|
||||||
defer httpServer.Close()
|
defer httpServer.Close()
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue