Comments (8)
Also relevant https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
The refresh flow explicitly states new tokens are issued. Obviously this is void of any context regarding the JWT Profile but likely applies.
from fosite.
If approved as bug, I'd be glad to raise a PR fixing it.
from fosite.
Bumping up
from fosite.
I can confirm that iat
gets updated in ID tokens, but not access tokens. I think you should just do a PR with tests for this.
from fosite.
So it looks this is more confusing than one would hope for.
For ID Tokens:
RequestedAt
is set totime.Now().UTC()
when (default)IDTokenSession
is created. That is used forrat
claim.IssuedAt
claim is set totime.Now().UTC()
when ID token is being generated. That is used foriat
claim.
This seems reasonable. rat
claim seems to be specific feature of Fosite. And it might be reasonable that it does not
change on refresh. That it shows when the original ID token was requested.
For access tokens:
RequestedAt
is set totime.Now().UTC()
when (default)Requester
is created.IssuedAt
is then set totime.Now().UTC()
when generating access token usingWithDefaults
inDefaultJWTStrategy
, but only if it has not already been set. This is used foriat
claim.- Around the code
RequestedAt
is used as the issued timestamp. - In introspection response writer, we can see
response["iat"] = r.GetAccessRequester().GetRequestedAt()
, this works because inAccessTokenJWTToRequest
,RequestedAt
is set fromIssueAt
fromiat
in the token itself.AccessTokenJWTToRequest
attempts to readrat
claim, but that is never set on access tokens, only ID tokens.
I find this confusing. There are two names (RequestedAt
and IssuedAt
) used for the same thing and also two places to save it (one in requester, the other in JWK claims).
Anyway, my workaround for this is that I set IssuedAt
every time GetJWTClaims()
is called.
from fosite.
Sorry, in fact no, it does not work correctly. By default AccessTokenJWTToRequest
is not used but a standard introspection is used instead. And I tested this now and it can happen that the iat
in the response is different from the iat
in the JWT token. iat
in the response uses GetRequestedAt
, but iat
timestamp in JWT is generated using time.Now().UTC()
.
So the problem is even in the initial access token. And another issue is that after refresh the iat
is not updated.
from fosite.
Workaround in introspection handler:
ar := ir.GetAccessRequester().(*fosite.AccessRequest)
ar.RequestedAt = ar.GetSession().(*oauth2.JWTSession).JWTClaims.IssuedAt
oidc.WriteIntrospectionResponse(ctx, w, ir)
from fosite.
I found another issue In HMACSHAStrategy
's ValidateAccessToken
, access token's GetRequestedAt
is used to validate the token. But because refreshed access tokens keep original issue time, those refreshed access tokens are valid even before the real issue time (the time they have been issued).
from fosite.
Related Issues (20)
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- openid session storage should be deleted when the authcode is exchanged HOT 9
- private_key_jwt assetion tokens can have unbounded expiration which can fill data store HOT 3
- NewDefaultSession's SetSubject should set IDTokenClaims as well
- Consider upgrading to github.com/go-jose/go-jose/v4 HOT 1
- id_token_hint should not persist to storage HOT 2
- Unable to obtain expiration time of refresh tokens HOT 1
- Why does HMACStrategy.Generate uses a lock? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.