Clock skew to check access token expiration has wrong sign #7511
Comments
spring-projects-issues
added
the
status: waiting-for-triage
Fixes spring-projectsgh-7511 Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>
|
Thank you, @shimikano for checking on this. I believe the arithmetic is correct as-is. Consider an expiration time at time 10. At time 9, it is not yet expired: 10 < 9 is false. So far so good. But, with a skew of 2, 10 < 9 + 2 would be true, meaning that it is expired. This is wrong since the intent of the skew is to give the token 2 units of additional leeway, not 2 units less. Using this same example of an expiration time at time 10, let's say that it is now time 11, so the token is expired. But, we have a skew of 2, so 10 < 11 - 2 would mean that it is not yet expired, which is correct. 10 < 11 + 2 would state that it is expired, which is not correct. |
Fixes gh-7511 Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>
|
Thank you for looking into this.
This is the crucial observation. The semantics of a skew may depend on the context, but I'd argue that in the specific use case of Going back to your example, if the token is considered not yet expired at time 11 (and hence wouldn't get refreshed), the request to the resource server would fail due to an expired token. On the other hand, I would like it to be considered expired at time 9. This used to be the case (and was documented accordingly) pre 5.2.0. We tried to recreate the old behavior by passing a negative skew to If the logic you described ("skew = extending a token's life time") is really needed, then I'd suggest removing the negative skew check of |
|
@jzheaux I hate adding +1 comments, but I really think this issue needs to be reopened, as the current behavior does not allow clients to preemptively refresh tokens before they expire. Essentially the current behavior guarantees that some client requests will fail due to using an expired token. I'd like to avoid failed client requests. I 100% agree with @shimikano 's assertion that the skew should give 2 units less leeway on the client side, so that the client will refresh the token before it expires, not after it expires. On the resource-server side, however, I can totally see a clock skew giving 2 units more leeway (which is what is currently done in the |
This makes sense and it looks like there is indeed an issue with the AuthorizedClientProvider implementations. Let me investigate this further. |
jgrandja
added
in: oauth2
|
@shimikano @philsttr I just pushed the fix. Please try it and let me know how it goes. Thanks. |
- Change method hasTokenExpired in JwtBearerOAuth2AuthorizedClientProvider to avoid error when including skew time (same as spring-projectsgh-7511) - Rename classes to follow conventions - Define and use constants in AuthorizationGrantType, OAuth2ParameterNames and OAuth2AuthorizationContext - Add jwtBearer builder in OAuth2AuthorizedClientProviderBuilder - Add Junit tests, mainly copied and adapted from Password grant
Summary
After upgrading to 5.2.0.RELEASE, we noticed that the clock skew used to calculate an access token's expiration in conjunction with
ServerOAuth2AuthorizedClientExchangeFilterFunctionseems to have the wrong sign.E.g., compare the
hasTokenExpiredmethod in the variousAuthorizedClientProviderimplementations of 5.2.0.RELEASE with the implementation of 5.1.6.RELEASE.Though consistent with the javadoc, the skew should be added to the current timestamp in order to conservatively consider an access token expired.
Actual Behavior
token has expired <==> expiration time < now - skewExpected Behavior
token has expired <==> expiration time < now + skewVersion
5.2.0.RELEASE
The text was updated successfully, but these errors were encountered: