mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Hopefully fix exp issues by making it a stable part of the access token. (#1434)

Browse source
This commit is contained in:
Firstyear 2023-03-06 16:17:19 +10:00 committed by GitHub
parent 113258d523
commit ff78dc8f38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
server/lib/src/idm/oauth2.rs
View file

@ -130,6 +130,7 @@ enum Oauth2TokenType {
expiry: time::OffsetDateTime, expiry: time::OffsetDateTime,
uuid: Uuid, uuid: Uuid,
iat: i64, iat: i64,
exp: i64,
nbf: i64, nbf: i64,
auth_time: Option<i64>, auth_time: Option<i64>,
}, },
@ -1103,7 +1104,9 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
OAUTH2_ACCESS_TOKEN_EXPIRY, OAUTH2_ACCESS_TOKEN_EXPIRY,
) )
}; };
// let expiry = odt_ct + Duration::from_secs(expires_in as u64);
// TODO: Make configurable from auth policy!
let exp = iat + (expires_in as i64);
let scope = if code_xchg.scopes.is_empty() { let scope = if code_xchg.scopes.is_empty() {
None None
@ -1129,9 +1132,6 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
// amr == auth method // amr == auth method
let amr = Some(vec![code_xchg.uat.auth_type.to_string()]); let amr = Some(vec![code_xchg.uat.auth_type.to_string()]);
// TODO: Make configurable from auth policy!
let exp = iat + (expires_in as i64);
let iss = o2rs.iss.clone(); let iss = o2rs.iss.clone();
let entry = match self.qs_read.internal_search_uuid(code_xchg.uat.uuid) { let entry = match self.qs_read.internal_search_uuid(code_xchg.uat.uuid) {
@ -1192,6 +1192,7 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
expiry, expiry,
uuid: code_xchg.uat.uuid, uuid: code_xchg.uat.uuid,
iat, iat,
exp,
nbf: iat, nbf: iat,
auth_time: None, auth_time: None,
}; };
@ -1275,6 +1276,7 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
expiry, expiry,
uuid, uuid,
iat, iat,
exp,
nbf, nbf,
auth_time: _, auth_time: _,
} => { } => {
@ -1284,7 +1286,6 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
security_info!(?uuid, "access token has expired, returning inactive"); security_info!(?uuid, "access token has expired, returning inactive");
return Ok(AccessTokenIntrospectResponse::inactive()); return Ok(AccessTokenIntrospectResponse::inactive());
} }
let exp = iat + (expiry - odt_ct).whole_seconds();
// Is the user expired, or the oauth2 session invalid? // Is the user expired, or the oauth2 session invalid?
let valid = self let valid = self
@ -1322,8 +1323,8 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
client_id: Some(client_id.clone()), client_id: Some(client_id.clone()),
username: Some(account.spn), username: Some(account.spn),
token_type, token_type,
exp: Some(exp),
iat: Some(iat), iat: Some(iat),
exp: Some(exp),
nbf: Some(nbf), nbf: Some(nbf),
sub: Some(uuid.to_string()), sub: Some(uuid.to_string()),
aud: Some(client_id), aud: Some(client_id),
@ -1380,6 +1381,7 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
expiry, expiry,
uuid, uuid,
iat, iat,
exp,
nbf, nbf,
auth_time: _, auth_time: _,
} => { } => {
@ -1389,7 +1391,6 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
security_info!(?uuid, "access token has expired, returning inactive"); security_info!(?uuid, "access token has expired, returning inactive");
return Err(Oauth2Error::InvalidToken); return Err(Oauth2Error::InvalidToken);
} }
let exp = iat + (expiry - odt_ct).whole_seconds();
// Is the user expired, or the oauth2 session invalid? // Is the user expired, or the oauth2 session invalid?
let valid = self let valid = self