Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth access token and refresh token expiration times #12641

Closed
1 of 3 tasks
gempain opened this issue Aug 29, 2020 · 5 comments · Fixed by #12642
Closed
1 of 3 tasks

OAuth access token and refresh token expiration times #12641

gempain opened this issue Aug 29, 2020 · 5 comments · Fixed by #12642

Comments

@gempain
Copy link

gempain commented Aug 29, 2020

  • Gitea version (or commit ref): 1.13.0+dev-371-g4d9f59a45
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

The OAuth2 docs describe REFRESH_TOKEN_EXPIRATION_TIME as the Lifetime of an OAuth2 access token in hours. This seems incorrect looking at the name of the variable.

That aside, I find it strange to have different expiration times for the refresh token and the access token. When you get an access token via the OAuth authorization flow, you get this answer:

{
"access_token":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",  
"token_type":"bearer",  
"expires_in":3600,  
 "refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"  
}

The expires_in property is the expiration time of the access token (per specification). Hence, a third party application would expect to be able to refresh the access token within 3600 seconds. But in reality, that won't work as the refresh token expires in REFRESH_TOKEN_EXPIRATION_TIME.

zeripath added a commit to zeripath/gitea that referenced this issue Aug 29, 2020
REFRESH_TOKEN_EXPIRATION_TIME refers to the refresh token not the access token

Fix go-gitea#12641

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Copy link
Contributor

it looks like the docs are incorrect here. The name is correct - it sets the REFRESH_TOKEN_EXPIRATION_TIME not the ACCESS token expiration time. I've sent a PR to update them.

lafriks pushed a commit that referenced this issue Aug 29, 2020
REFRESH_TOKEN_EXPIRATION_TIME refers to the refresh token not the access token

Fix #12641

Signed-off-by: Andrew Thornton <art27@cantab.net>
@gempain
Copy link
Author

gempain commented Aug 31, 2020

@zeripath thanks for the fix ! That was quick 😄 Do you have any comment regarding the fact that there are two settings for those timeouts. How is a third party app expected to refresh the token since the refresh token will have expired long before the 3600 seconds mentioned in the payload as expire_time ? Shouldn't Gitea either return the expiration of the refresh token as well ?

@zeripath
Copy link
Contributor

The refresh token is in hours - not seconds

@gempain
Copy link
Author

gempain commented Sep 2, 2020

@zeripath I see. Do you think it would be possible to include in the OAuth response a property named refresh_token_expires_in which has that value ? Github does this:

{
  "access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
  "expires_in": "28800",
  "refresh_token": "r1.c1b4a2e77838347a7e420ce178f2e7c6912e1692",
  "refresh_token_expires_in": "15811200",
  "scope": "",
  "token_type": "bearer"
}

@zeripath
Copy link
Contributor

zeripath commented Sep 2, 2020

You would probably have to add it here :

RefreshToken string `json:"refresh_token"`

And here

RefreshToken: signedRefreshToken,

Would be a 2 line pr. (Barring formatting changes.)

Feel free to submit a PR.

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants