You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some token endpoints out there, if the access token response doesn't contain the expires_in field, while unmarshaling this response body, it assigns a default or zero time 0001-01-01 00:00:00 +0000 as the expiry.
This causes the access token to be valid in the below func expired() even if it's expired. Ideally, the zero time is before the current time; should it invalidate this? Should the below code return true when if t.Expiry.IsZero() ?
oauth2@v0.22.0/token.go
// timeNow is time.Now but pulled out as a variable for tests.vartimeNow=time.Now// expired reports whether the token is expired.// t must be non-nil.func (t*Token) expired() bool {
ift.Expiry.IsZero() {
returnfalse
}
expiryDelta:=defaultExpiryDeltaift.expiryDelta!=0 {
expiryDelta=t.expiryDelta
}
returnt.Expiry.Round(0).Add(-expiryDelta).Before(timeNow())
}
// Valid reports whether t is non-nil, has an AccessToken, and is not expired.func (t*Token) Valid() bool {
returnt!=nil&&t.AccessToken!=""&&!t.expired()
}
The text was updated successfully, but these errors were encountered:
nregati
changed the title
Default or zero access expiry
Default or zero expiry time in access token makes it valid even if it's expired
Aug 23, 2024
For some token endpoints out there, if the access token response doesn't contain the
expires_in
field, while unmarshaling this response body, it assigns a default or zero time0001-01-01 00:00:00 +0000
as the expiry.This causes the access token to be valid in the below
func expired()
even if it's expired. Ideally, the zero time is before the current time; should it invalidate this? Should the below code returntrue
whenif t.Expiry.IsZero()
?oauth2@v0.22.0/token.go
The text was updated successfully, but these errors were encountered: