Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retain OIDC access token expiry time in the cookie #32109

Closed
sberyozkin opened this issue Mar 24, 2023 · 1 comment · Fixed by #45337
Closed

Retain OIDC access token expiry time in the cookie #32109

sberyozkin opened this issue Mar 24, 2023 · 1 comment · Fixed by #45337
Labels
area/oidc kind/enhancement New feature or request
Milestone
3.18.0.CR1

Comments

@sberyozkin
Copy link
Member

Description

Right now, when the authorization code flow is run, and the code is exchanged for tokens, they are kept in the session cookie by default. ID token is always JWT so when its expiry is checked, a JWT exp claim is checked.
However when the access token is used to fetch UserInfo, and its expiry is checked, right now, we have 2 options:

  1. if the access token is JWT - check the expiry the same way as for the ID token
  2. if the access token is binary - introspect it remotely and get the exp property from the introspection response.

However, when the token is introspected and is reported as inactive, providers are not required to report any reasons behind the access token becoming inactive, so the exp info is not guaranteed to be always present in the introspection responses.

But the access token expiry time is typically returned when the code is exchanged for the tokens, as a JSON property reported in addition to the actual tokens.

So this enhancement is about retaining this property in the session cookie. The challenge here is that unless it is integrity protected, we can't rely on this expiry date coming from the cookie.

Implementation ideas

No response
@sberyozkin sberyozkin added the kind/enhancement New feature or request label Mar 24, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 24, 2023

/cc @pedroigor (oidc)

This was referenced Dec 27, 2024
Merged
Merged
Merged
@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Jan 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
3.18.0.CR1
Development

Successfully merging a pull request may close this issue.

Use access token expires_in to refresh code flow tokens sberyozkin/quarkus
1 participant
@sberyozkin