-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT not being re-generated by default #51
Comments
When does it not have the exp property? |
I'm not sure, @timja. This comes from IDAM and it seems the property is there at the moment. But from this component's perspective, we can never be sure. |
It's part of the API contract though, it should always be there =/. |
Is it? If that's the case, then might not be a problem while the ServiceAuthTokenGenerator implementation is used. |
Are you mocking the value that's being returned by the s2s server? If so it sounds like you aren't mocking it correctly. |
Hi @timja. We are mocking it and you're right, the value was wrong (as it didn't have the "exp" property). |
It's part of the API contract, so no not an issue |
What would you like to change?
We had some issues regarding JWT not being re-generated when our JWT didn't contain the "exp" property in the payload.
Since this is used in conjunction with a one-time password, I believe that in the case of the JWT not containing the "exp" property, we should always re-generate it (i.e. re-generating should be the default behaviour).
My fear is that if we ever handle a payload that doesn't have an "exp" property, we'll be always returning the same token until spring is restarted.
I'd like to know what the team thinks about it. This is only my interpretation.
References:
One-time password:
service-auth-provider-java-client/src/main/java/uk/gov/hmcts/reform/authorisation/generators/ServiceAuthTokenGenerator.java
Line 36 in a3deb2b
Re-generation logic:
service-auth-provider-java-client/src/main/java/uk/gov/hmcts/reform/authorisation/generators/AutorefreshingJwtAuthTokenGenerator.java
Line 57 in a3deb2b
How do you think that would improve the project?
I think it could prevent problems in production and make functional testing less dependant on testers using the "exp" property.
If this entry is related to a bug, please provide the steps to reproduce it
You will see that steps 2 and 5 will generate the same token (i.e. the service no longer queries the "/lease" endpoint.
The text was updated successfully, but these errors were encountered: