Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make ID Token expiresAt configurable #1500

Closed
git9999999 opened this issue Jan 9, 2024 · 2 comments
Closed

Make ID Token expiresAt configurable #1500

git9999999 opened this issue Jan 9, 2024 · 2 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@git9999999
Copy link

Expected Behavior
I want to be able to configure the ID Token expiresAt.

Current Behavior
The value is a fix value with a todo, see

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

Line 96 in aed93f3

expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);

Context
We use spring authorization server in our test environments. There we have no valuable data. As we use Angular with the Lib https://www.npmjs.com/package/angular-auth-oidc-client we would like to use a refresh token, but this is not supported by spring-authorization-server. This means for us that every user is logged out after 30min as of this fixed value.
The only fix available is to increase this timeout so the testers can test for some hours.

If you agree to this proposal, please let me know. I would try to make a PR.
@git9999999 git9999999 added the type: enhancement A general enhancement label Jan 9, 2024
@jgrandja
Copy link
Collaborator

jgrandja commented Jan 9, 2024

Closing this as a duplicate of gh-790.

@git9999999

If an application needs to override the default 30min expiry for an ID Token, you can use an OAuth2TokenCustomizer to override the default.

@jgrandja jgrandja closed this as completed Jan 9, 2024
@jgrandja jgrandja self-assigned this Jan 9, 2024
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: enhancement A general enhancement labels Jan 9, 2024
@git9999999
Copy link
Author

git9999999 commented Jan 10, 2024
edited

Just for documentation, so other peoples have the code ready to fix this problem, here how i fix this issue.

this line did the fix
context.getClaims().claim("exp", Instant.now().plus(14, HOURS));

@Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
        return context -> {
            var principal = context.getPrincipal();
            if (Objects.equals(context.getTokenType().getValue(), "access_token") && principal instanceof UsernamePasswordAuthenticationToken) {
                var user = (User) principal.getPrincipal();
                context.getClaims().claim("preferred_username", user.getUsername());
                context.getClaims().claim(USER_ID_CLAIM_KEY.getKey(), user.getUsername());
                context.getClaims().claim("groups", List.of(AZURE_AD_GROUP_AAA_DEV_ADMINPORTAL));
                context.getClaims().claim("correlationId", UUID.randomUUID().toString());
            }
            if (context.getTokenType().getValue().equals(OidcParameterNames.ID_TOKEN)) {
                var user = (User) principal.getPrincipal();
                context.getClaims()
                    .claim("preferred_username", user.getUsername());
                // Overwrite the exp of the ID TOKEN so the tester can longer test
                context.getClaims().claim("exp", Instant.now().plus(14, HOURS));
                context.getClaims().claim("groups", List.of(AZURE_AD_GROUP_AAA_DEV_ADMINPORTAL));
            }
        };
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @git9999999