Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default or zero expiry time in access token makes it valid even if it's expired #738

Open
nregati opened this issue Aug 23, 2024 · 0 comments

Comments

@nregati
Copy link

nregati commented Aug 23, 2024

For some token endpoints out there, if the access token response doesn't contain the expires_in field, while unmarshaling this response body, it assigns a default or zero time 0001-01-01 00:00:00 +0000 as the expiry.

This causes the access token to be valid in the below func expired() even if it's expired. Ideally, the zero time is before the current time; should it invalidate this? Should the below code return true when if t.Expiry.IsZero() ?

oauth2@v0.22.0/token.go

// timeNow is time.Now but pulled out as a variable for tests.
var timeNow = time.Now

// expired reports whether the token is expired.
// t must be non-nil.
func (t *Token) expired() bool {
	if t.Expiry.IsZero() {
		return false
	}

	expiryDelta := defaultExpiryDelta
	if t.expiryDelta != 0 {
		expiryDelta = t.expiryDelta
	}
	return t.Expiry.Round(0).Add(-expiryDelta).Before(timeNow())
}

// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
func (t *Token) Valid() bool {
	return t != nil && t.AccessToken != "" && !t.expired()
}
@nregati nregati changed the title Default or zero access expiry Default or zero expiry time in access token makes it valid even if it's expired Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant