Comments (9)
Token expiration date is currently not required for storage retrieval in the storage backend. Instead, the creation timestamp is stored (Request.GetRequestedAt
) and each handler can define his own expiry date. The explicit handler, for example, checks for expiry date like this:
if authorizeRequest.GetRequestedAt().Add(c.AuthCodeLifespan).Before(time.Now()) {
return errors.New(ErrInvalidRequest)
}
Where c.AuthCodeLifespan
is defined:
// CodeAuthorizeEndpointHandler is a response handler for the Authorize Code grant using the explicit grant type
// as defined in https://tools.ietf.org/html/rfc6749#section-4.1
type AuthorizeExplicitGrantTypeHandler struct {
AccessTokenStrategy core.AccessTokenStrategy
RefreshTokenStrategy core.RefreshTokenStrategy
AuthorizeCodeStrategy core.AuthorizeCodeStrategy
// Store is used to persist session data across requests.
Store AuthorizeCodeGrantStorage
// AuthCodeLifespan defines the lifetime of an authorize code.
AuthCodeLifespan time.Duration
// AccessTokenLifespan defines the lifetime of an access token.
AccessTokenLifespan time.Duration
}
and initialized, for example as such:
explicitHandler := &explicit.AuthorizeExplicitGrantTypeHandler{
AccessTokenStrategy: selectedStrategy,
RefreshTokenStrategy: selectedStrategy,
AuthorizeCodeStrategy: selectedStrategy,
Store: store,
AuthCodeLifespan: time.Minute * 10,
AccessTokenLifespan: accessTokenLifespan,
}
Does not storing the expiry date explicitly imply some sort of negative effect on your use case? Or do you see other problems with this approach? I'd be glad to reconsider this portion if issues arise.
from fosite.
@arekkas Thanks a lot for the quick response.
What I'm trying to implement is a way to create Personal Access Tokens which many (Github, Digital Ocean) have that does not expire, or have a very high value for expiration.
from fosite.
I see. I think there are two things you can do:
- Set the lifespan to something huge, e.g.
999999999
. This however implies that all tokens issued by the handler (e.g. explicit, implicit, owner, ...) are going to have that long expiry date. It is noteworthy that OAuth2 encourages the use of short lived credentials due to possible compromise of the tokens. - Write your own handler. This is what I'd recommend to you. Take a look at the implicit handler or the resource owner handler. They are short pieces of code that extend fosites capabilities. You could write a
PersonalAccessTokenHandler
and give it the functionality you want it to have.
Unfortunately, handlers are not well documented. So if you encounter problems or questions feel free to ask any time. I'm glad to help as best as I can.
from fosite.
You can also read up on handlers in the README. I didn't have time yet to document these extensively but I think they are the best fit for what you are trying to achieve. You could define your own storage interface, your own grant_type or response_type (e.g. "personal_access_token") and write custom validation / issuance as well.
I'm actually super glad you came up with that use case. It shows me that extensible handlers are not only abstract overhead but can help in some cases! :D
from fosite.
Oh yes! :D That will work, to be honest I didn't know I could define my own handlers.
I'm super excited about this library. Few hours back I was very frustrated that I didn't understand. I think I understand the concepts a bit better now.
Thanks a lot, really appreciate it.
from fosite.
I'm glad you got past the frustration point! :) If you encounter problems or questions feel free to ask any time. If you have ideas how to lower the frustration bar for newcomers, I honestly appreciate any contributions!
Regarding handler implementation: I can currently only point you to the existing handlers but I think they are a good place to start. If you want to see it live in action, you could modify the example a little bit and add your custom handler type to the factory
from fosite.
One more thing: Right now, the handlers are only implementing OAuth2 specific stuff. I wanted to implement an OpenID Connect handler as well but didn't have the time yet. It is therefore quite possible, that the APIs and interface definitions are not as mature as they should be. If you encounter strangeness or something always ask before you waste your time on trying to achieve something that can't work with the current API definitions :)
from fosite.
Absolutely 👍
from fosite.
Hey, this is now implemented without you having to access the handlers :) dfb047d
from fosite.
Related Issues (20)
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- openid session storage should be deleted when the authcode is exchanged HOT 9
- private_key_jwt assetion tokens can have unbounded expiration which can fill data store HOT 3
- NewDefaultSession's SetSubject should set IDTokenClaims as well
- Consider upgrading to github.com/go-jose/go-jose/v4
- id_token_hint should not persist to storage HOT 2
- Unable to obtain expiration time of refresh tokens HOT 1
- Why does HMACStrategy.Generate uses a lock? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.