Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix management of tokens lifetime following RFC9068 #620

Merged
merged 21 commits into from
Sep 14, 2023
Merged

Fix management of tokens lifetime following RFC9068 #620

merged 21 commits into from
Sep 14, 2023

Conversation

federicaagostini
Copy link
Contributor

@federicaagostini federicaagostini commented Jun 19, 2023
edited by enricovianello
Loading

The Access Token and Refresh Token lifetimes are configurable by admins via web interface. #545
The exp claim will always appear into access tokens (following RFC9068). #648

This was referenced Jun 19, 2023
Closed
Closed
@enricovianello enricovianello linked an issue Jul 11, 2023 that may be closed by this pull request
Fix web interface for token lifetime #545
Closed
@sonarcloud
Copy link

sonarcloud bot commented Jul 11, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

@giacomini giacomini marked this pull request as draft July 11, 2023 12:24
@enricovianello
Copy link
Member

Follow the RFC https://datatracker.ietf.org/doc/html/rfc9068

@federicaagostini
Copy link
Contributor Author

When AT does not expire, the exp claim does not appear in the token (that is not compliant with the OAuth2/JWT specification). Thus, fix this in order to always include the exp claim. Also, do not allow infinite lifetime for access tokens.

@enricovianello
Copy link
Member

@federicaagostini probably a new issue related to "exp" claim could be a good idea

@federicaagostini
Use default AT/RT lifetime
9f9c2bf 
when a client request trough API does not explicit one
@federicaagostini
Set AT/RT lifetimes from Admin requests only
907d7ae 
since the "Token" tab with token-related settings is visible only by Admins.
When the lifetimes are not requested during a client update/save, set them
to the default values (that are deployment options).
@federicaagostini
Improve coverage
dbdc4d5
@federicaagostini
Bump to MitreID version 1.3.6.cnaf-20230913
1f2086e
@federicaagostini
Always set default lifetimes for dynamic clients
2d4391f
@federicaagostini
Add registration API integration tests
b2744a8
@enricovianello enricovianello marked this pull request as ready for review September 14, 2023 09:42
@enricovianello enricovianello changed the title Fix update of AT/RT lifetmes Fix update of AT/RT lifetimes Sep 14, 2023
@enricovianello enricovianello changed the title Fix update of AT/RT lifetimes Fix management of tokens lifetime following RFC9068 Sep 14, 2023
@enricovianello enricovianello merged commit 3749a72 into develop Sep 14, 2023
9 checks passed
@sonarcloud
Copy link

sonarcloud bot commented Sep 14, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

@sonarcloud
Copy link

sonarcloud bot commented Sep 14, 2023

Please retry analysis of this Pull-Request directly on SonarCloud.

@enricovianello enricovianello deleted the issue-545-rebased branch September 14, 2023 13:36
enricovianello added a commit that referenced this pull request Dec 11, 2023
@enricovianello
Revert "Fix management of tokens lifetime following RFC9068 (#620)"
ad11c01 
This reverts commit 3749a72.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enricovianello enricovianello enricovianello approved these changes

@rmiccoli rmiccoli Awaiting requested review from rmiccoli

@SteDev2 SteDev2 Awaiting requested review from SteDev2

@shtimma shtimma Awaiting requested review from shtimma

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix web interface for token lifetime
2 participants
@federicaagostini @enricovianello