Merge pull request #8658 from sberyozkin/oidc_leeway

Rename OIDC expiration-grace property to lifespan-grace
quarkusio · Apr 21, 2020 · 904d7e0 · 904d7e0
2 parents 0470184 + 96d11f4
commit 904d7e0
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 12 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -589,11 +589,14 @@ public static Token fromAudience(String... audience) {
         public Optional<List<String>> audience = Optional.empty();
 
         /**
-         * Expiration grace period in seconds. A token expiration time will be reduced by
-         * the value of this property before being compared to the current time.
+         * Life span grace period in seconds.
+         * When checking token expiry, current time is allowed to be later than token expiration time by at most the configured
+         * number of seconds.
+         * When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured
+         * number of seconds.
          */
         @ConfigItem
-        public Optional<Integer> expirationGrace = Optional.empty();
+        public Optional<Integer> lifespanGrace = Optional.empty();
 
         /**
          * Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and `sub` claims are
@@ -629,12 +632,12 @@ public void setAudience(List<String> audience) {
             this.audience = Optional.of(audience);
         }
 
-        public Optional<Integer> getExpirationGrace() {
-            return expirationGrace;
+        public Optional<Integer> getLifespanGrace() {
+            return lifespanGrace;
         }
 
-        public void setExpirationGrace(int expirationGrace) {
-            this.expirationGrace = Optional.of(expirationGrace);
+        public void setLifespanGrace(int lifespanGrace) {
+            this.lifespanGrace = Optional.of(lifespanGrace);
         }
 
         public Optional<String> getPrincipalClaim() {

diff --git a/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -303,8 +303,8 @@ private void processSuccessfulAuthentication(RoutingContext context, TenantConfi
                 .append(COOKIE_DELIM)
                 .append(result.opaqueRefreshToken()).toString());
         long maxAge = result.idToken().getLong("exp") - result.idToken().getLong("iat");
-        if (configContext.oidcConfig.token.expirationGrace.isPresent()) {
-            maxAge += configContext.oidcConfig.token.expirationGrace.get();
+        if (configContext.oidcConfig.token.lifespanGrace.isPresent()) {
+            maxAge += configContext.oidcConfig.token.lifespanGrace.get();
         }
         LOG.debugf("Session cookie 'max-age' parameter is set to %d", maxAge);
         cookie.setMaxAge(maxAge);

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
@@ -83,9 +83,9 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi
             options.setValidateIssuer(false);
         }
 
-        if (oidcConfig.getToken().getExpirationGrace().isPresent()) {
+        if (oidcConfig.getToken().getLifespanGrace().isPresent()) {
             JWTOptions jwtOptions = new JWTOptions();
-            jwtOptions.setLeeway(oidcConfig.getToken().getExpirationGrace().get());
+            jwtOptions.setLeeway(oidcConfig.getToken().getLifespanGrace().get());
             options.setJWTOptions(jwtOptions);
         }
 

diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties
@@ -71,7 +71,7 @@ quarkus.oidc.tenant-logout.authentication.cookie-path=/tenant-logout
 quarkus.oidc.tenant-logout.logout.path=/tenant-logout/logout
 quarkus.oidc.tenant-logout.logout.post-logout-path=/tenant-logout/post-logout
 quarkus.oidc.tenant-logout.token.refresh-expired=true
-quarkus.oidc.tenant-logout.token.expiration-grace=120
+quarkus.oidc.tenant-logout.token.lifespan-grace=120
 
 quarkus.http.auth.permission.roles1.paths=/index.html
 quarkus.http.auth.permission.roles1.policy=authenticated