New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing "accessTokenLifetime" nside Configuration Doesn't impact Access Token Lifetime #908

Closed
afroDC opened this Issue Sep 21, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@afroDC
Contributor

afroDC commented Sep 21, 2018

No matter what I change the access token lifetime to in Gluu Server, it seems to default to 5 minutes/300 seconds.

Issue exists in 3.1.4.RC6 on CentOS 7.5

@afroDC afroDC added the bug label Sep 21, 2018

@afroDC afroDC added this to the 3.1.4 milestone Sep 21, 2018

@afroDC

This comment has been minimized.

Contributor

afroDC commented Sep 21, 2018

Further information:

I'm using the Implicit Flow in a simple Javascript app to test functionality. To gather my id_token and access token, I use the following code:

function implicitAuthRequest(){
    const AsAuthUrl=AsUrl + '/oxauth/restv1/authorize';
    const redirectUri='http://localhost:8080/success';
    let state = randomString();
    let nonce = randomString();
    // Auth requested formatted as such according to https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
    const getUrl = AsAuthUrl + '?response_type=' + responseType + '&client_id=' + clientID + '&redirect_uri=' + redirectUri + '&scope=' + scopes + '&state=' + state + '&nonce=' + nonce;
    // Store nonce and state
    setCookie("nonce", nonce, 1);
    setCookie("state", state, 1);
    // Redirect for Implicit Flow
    window.location.replace(getUrl);
}

This sends the user to oxAuth for authentication and consent. I then parse the return URL and redirect the user to my demo page with some additional information to utilize, upon successful validation:

function postAuthRedirect () {
    // Gather our authentication response to verify
    var response = JSON.parse(window.localStorage.getItem("authResp"));
    // Base64 Decode the id_token from the authentication response
    idToken64 = response.id_token;
    idToken = parseJwt(idToken64);
    // Verify nonce, audience, response type and issuer then forward the user to a pseudo passed authentication page.
    if (validate(idToken['iss'], idToken['nonce'], idToken['aud'])) {
        window.location.replace("http://localhost:8080/");
    }
    else {
        document.getElementById("passFail").innerHTML = "Failed to validate response!";
    }
}

On the demo page, I have another button that calls the gatherUserClaims() function, which pulls the authentication response from local storage in the browser and uses the saved access token from my authentication response to gather user claim information:

function gatherUserClaims () {
    if (authData = JSON.parse(window.localStorage.getItem('authResp'))) {
        accessToken = authData.access_token;
    }
    else {
        // Fake access token for testing
        accessToken = 'c769d7ff-c476-42ab-b531-fe2f60b2f5cc';
    }
    
    url = AsUrl + '/oxauth/restv1/userinfo';
    var http = new XMLHttpRequest();
    http.onreadystatechange = function() {     
        if (this.readyState == 4 && this.status == 200) {
            document.getElementById("user_claims").innerHTML = parseJsonResponseForHtml(JSON.parse(this.responseText));
        }
        else {
            document.getElementById("user_claims").innerHTML = parseJsonResponseForHtml(JSON.parse(this.responseText));
        }
    };
    http.open("GET", url);
    http.setRequestHeader('Authorization','Bearer ' + accessToken);
    http.send();
}

The issue is that no matter what I have my accessTokenLifetime set to, I can always pull the user claims. The only time my stored access token will fail is when I have logged out of the OP directly, and that access token is redacted. I'm sharing this as I'm not sure if I'm doing something wrong, or the configuration isn't properly set up.

@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Sep 21, 2018

I will take over it.

@yuriyz yuriyz assigned yuriyz and unassigned yurem Sep 21, 2018

yuriyz added a commit that referenced this issue Sep 24, 2018

@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Sep 24, 2018

Fixed in 3.1.4 and master.

@yuriyz yuriyz closed this Sep 24, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment