oauth2: Resolve broken expiry when refreshing id token

Closes #985 Signed-off-by: arekkas <aeneas@ory.am>
ory · Aug 22, 2018 · 3a5bb94 · 3a5bb94
1 parent 0ea6ba0
commit 3a5bb94
Show file tree

Hide file tree

Showing 10 changed files with 40 additions and 33 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -75,7 +75,7 @@
 
 [[constraint]]
   name = "github.com/ory/fosite"
-  version = "0.21.2"
+  version = "0.21.3"
 
 [[constraint]]
   name = "github.com/ory/graceful"

diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -66,6 +66,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 		AccessTokenLifespan:            c.GetAccessTokenLifespan(),
 		AuthorizeCodeLifespan:          c.GetAuthCodeLifespan(),
 		IDTokenLifespan:                c.GetIDTokenLifespan(),
+		IDTokenIssuer:                  c.Issuer,
 		HashCost:                       c.BCryptWorkFactor,
 		ScopeStrategy:                  c.GetScopeStrategy(),
 		SendDebugMessagesToClients:     c.SendOAuth2DebugMessagesToClients,
@@ -78,7 +79,11 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 	if err != nil {
 		c.GetLogger().WithError(err).Fatalf("Unable to refresh OpenID Connect signing keys.")
 	}
-	oidcStrategy := &openid.DefaultStrategy{JWTStrategy: jwtStrategy}
+	oidcStrategy := &openid.DefaultStrategy{
+		JWTStrategy: jwtStrategy,
+		Expiry:      c.GetIDTokenLifespan(),
+		Issuer:      c.Issuer,
+	}
 
 	var coreStrategy foauth2.CoreStrategy
 	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret())
@@ -205,8 +210,8 @@ func newOAuth2Handler(c *config.Config, frontend, backend *httprouter.Router, cm
 		OpenIDJWTStrategy:      openIDJWTStrategy,
 		AccessTokenJWTStrategy: accessTokenJWTStrategy,
 		AccessTokenStrategy:    c.OAuth2AccessTokenStrategy,
-		IDTokenLifespan:        c.GetIDTokenLifespan(),
-		ShareOAuth2Debug:       c.SendOAuth2DebugMessagesToClients,
+		//IDTokenLifespan:        c.GetIDTokenLifespan(),
+		ShareOAuth2Debug: c.SendOAuth2DebugMessagesToClients,
 	}
 
 	handler.SetRoutes(frontend, backend)

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -625,10 +625,11 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 			Claims: &jwt.IDTokenClaims{
 				// We do not need to pass the audience because it's included directly by ORY Fosite
 				//Audience:    []string{authorizeRequest.GetClient().GetID()},
-				Subject:     session.ConsentRequest.SubjectIdentifier,
-				Issuer:      strings.TrimRight(h.IssuerURL, "/") + "/",
-				IssuedAt:    time.Now().UTC(),
-				ExpiresAt:   time.Now().Add(h.IDTokenLifespan).UTC(),
+				Subject:  session.ConsentRequest.SubjectIdentifier,
+				Issuer:   strings.TrimRight(h.IssuerURL, "/") + "/",
+				IssuedAt: time.Now().UTC(),
+				// This is set by the fosite strategy
+				//ExpiresAt:   time.Now().Add(h.IDTokenLifespan).UTC(),
 				AuthTime:    session.AuthenticatedAt,
 				RequestedAt: session.RequestedAt,
 				Extra:       session.Session.IDToken,

diff --git a/oauth2/handler_struct.go b/oauth2/handler_struct.go
@@ -44,8 +44,8 @@ type Handler struct {
 	ErrorURL   url.URL
 
 	AccessTokenLifespan time.Duration
-	IDTokenLifespan     time.Duration
-	CookieStore         sessions.Store
+	//IDTokenLifespan     time.Duration
+	CookieStore sessions.Store
 
 	OpenIDJWTStrategy      jwk.JWTStrategy
 	AccessTokenJWTStrategy jwk.JWTStrategy

diff --git a/oauth2/introspector_test.go b/oauth2/introspector_test.go
@@ -65,7 +65,7 @@ func TestIntrospectorSDK(t *testing.T) {
 			memoryStore,
 			&compose.CommonStrategy{
 				CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("1234567890123456789012345678901234567890")),
-				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 			},
 			nil,
 			compose.OAuth2AuthorizeExplicitFactory,

diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
@@ -185,11 +185,12 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 							compose.OAuth2TokenRevocationFactory,
 							compose.OAuth2TokenIntrospectionFactory,
 						),
-						Consent:         consentStrategy,
-						CookieStore:     cookieStore,
-						H:               herodot.NewJSONWriter(l),
-						ScopeStrategy:   fosite.ExactScopeStrategy,
-						IDTokenLifespan: time.Minute, IssuerURL: ts.URL, ForcedHTTP: true, L: l,
+						Consent:       consentStrategy,
+						CookieStore:   cookieStore,
+						H:             herodot.NewJSONWriter(l),
+						ScopeStrategy: fosite.ExactScopeStrategy,
+						//IDTokenLifespan: time.Minute,
+						IssuerURL: ts.URL, ForcedHTTP: true, L: l,
 						OpenIDJWTStrategy: jwtStrategy,
 					}
 					handler.SetRoutes(router, router)
@@ -734,13 +735,13 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 					compose.OAuth2TokenRevocationFactory,
 					compose.OAuth2TokenIntrospectionFactory,
 				),
-				Consent:           consentStrategy,
-				CookieStore:       sessions.NewCookieStore([]byte("foo-secret")),
-				ForcedHTTP:        true,
-				L:                 l,
-				H:                 herodot.NewJSONWriter(l),
-				ScopeStrategy:     fosite.HierarchicScopeStrategy,
-				IDTokenLifespan:   time.Minute,
+				Consent:       consentStrategy,
+				CookieStore:   sessions.NewCookieStore([]byte("foo-secret")),
+				ForcedHTTP:    true,
+				L:             l,
+				H:             herodot.NewJSONWriter(l),
+				ScopeStrategy: fosite.HierarchicScopeStrategy,
+				//IDTokenLifespan:   time.Minute,
 				IssuerURL:         ts.URL,
 				OpenIDJWTStrategy: jwtStrategy,
 			}

diff --git a/oauth2/oauth2_client_credentials_test.go b/oauth2/oauth2_client_credentials_test.go
@@ -100,10 +100,10 @@ func TestClientCredentials(t *testing.T) {
 					compose.OAuth2TokenIntrospectionFactory,
 				),
 				//Consent:         consentStrategy,
-				CookieStore:       sessions.NewCookieStore([]byte("foo-secret")),
-				ForcedHTTP:        true,
-				ScopeStrategy:     fosite.HierarchicScopeStrategy,
-				IDTokenLifespan:   time.Minute,
+				CookieStore:   sessions.NewCookieStore([]byte("foo-secret")),
+				ForcedHTTP:    true,
+				ScopeStrategy: fosite.HierarchicScopeStrategy,
+				//IDTokenLifespan:   time.Minute,
 				H:                 herodot.NewJSONWriter(l),
 				L:                 l,
 				IssuerURL:         ts.URL,

diff --git a/oauth2/oauth2_helper_test.go b/oauth2/oauth2_helper_test.go
@@ -33,11 +33,11 @@ import (
 var hasher = &fosite.BCrypt{}
 var oauth2OpqaueStrategy = &compose.CommonStrategy{
 	CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("some super secret secret secret secret")),
-	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 }
 var oauth2JWTStrategy = &compose.CommonStrategy{
 	CoreStrategy:               compose.NewOAuth2JWTStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST(), compose.NewOAuth2HMACStrategy(fc, []byte("some super secret secret secret secret"))),
-	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 }
 
 var fc = &compose.Config{

diff --git a/oauth2/revocator_test.go b/oauth2/revocator_test.go
@@ -81,7 +81,7 @@ func TestRevoke(t *testing.T) {
 			store,
 			&compose.CommonStrategy{
 				CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("1234567890123456789012345678901234567890")),
-				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 			},
 			nil,
 			compose.OAuth2TokenIntrospectionFactory,