Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dealing with Expiring Tokens #17

Open
EdwardHinkle opened this issue Apr 4, 2019 · 4 comments

Comments

@EdwardHinkle
Copy link

commented Apr 4, 2019

Currently IndieAuth and Micropub don't talk about how to deal with expired tokens, whether auto-expiring tokens or revoked tokens. To get a new token, most Micropub clients will make you log out and back in. However in the new Micropub client era with native apps and Reader web apps, you might not want to have to log out and back in just to refresh your token.

There was some brainstorming in chat about this.

A Micropub Client supporting expiring tokens should do two things:

  1. A Micropub app should look for an "expires_in" attribute being returned with the access token. If it is, after that time frame, if the user tries to start a new post it should prompt them to re-authenticate without logging them out, so they can obtain a new token.

  2. A Micropub app should look at error status codes returned when trying to post to a Micropub endpoint (or when trying to do Micropub Queries). If 401 is returned, the app should consider the existing access token is invalid and should re-authenticate without logging them out, so they can obtain a new token.

When to log out: If in the process of re-authenticating the Micropub client is not given a new access token, at that point posting should be disabled. How the Micropub client handles the UI of that is up to the app, whether people still have access to drafts, etc.

A Micropub Server supporting expiring clients should consider two things:

  1. If they have auto-expiring tokens, they should include the expiration time in terms of second until expired in the expired_in attribute when providing the access token to the client.

  2. When authenticating a Micropub request or a Micropub query, if the access token is no longer valid (it's revoked or expired or otherwise malformed) it should return a 401 status error code. This will tell the Micropub client it needs to re-authenticate.

@aaronpk

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

This sounds great, and to be clear, none of this is new behavior defined by Micropub or IndieAuth, it's all part of the existing OAuth 2.0 spec that IndieAuth is based on. We can call this out explicitly but we should not be defining any new normative behavior and instead just reference OAuth 2.0.

@EdwardHinkle

This comment has been minimized.

Copy link
Author

commented Apr 4, 2019

Correct, none of that is new, just that we should define that is IS something clients and servers should do. I think currently it's easy to overlook. I for example can revoke tokens on my IndieAuth server, but if I were to revoke the token for Indigenous for iOS I would have to completely log back out.

@EdwardHinkle

This comment has been minimized.

Copy link
Author

commented Apr 4, 2019

It took a bit of hunting in OAuth 2.0 to decide what all the right values were, so bringing that into the actual Micropub spec referring to OAuth 2.0's guidance but saying it SHOULD be supported or just adding more concrete information on the wiki "how-to" Micropub page. I'm flexible either way.

@dshanske

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

I would like to implement expiring tokens in my indieauth endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.