[jira] [Work logged] (KNOX-3038) OAuth resource tokens are short-lived

Thu, 09 May 2024 14:46:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3038?focusedWorklogId=918621&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918621
 ]

ASF GitHub Bot logged work on KNOX-3038:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/24 21:45
            Start Date: 09/May/24 21:45
    Worklog Time Spent: 10m 
      Work Description: lmccay commented on code in PR #907:
URL: https://github.com/apache/knox/pull/907#discussion_r1596018729


##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##########
@@ -90,6 +91,7 @@ public Response getAuthenticationToken() {
             map.put(ISSUED_TOKEN_TYPE, ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE);
             // let's use the passcode as the refresh token
             map.put(REFRESH_TOKEN, passcode);
+            map.put(LIFETIME, getTokenLifetimeInSeconds());

Review Comment:
   If I am reading this correctly, then returning the actual value in the 
response as lifetime_secs would be unexpected by OAuth flow consumers/clients. 
They will be looking for expires_in.
   
   I think what we need to do is calculate both the existing expires_in which 
millis since epoch as well as this OAuth expires_in which is lifetime_secs and 
return one in the response and store the other in the token metadata for 
reaping and monitoring, etc.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 918621)
    Time Spent: 20m  (was: 10m)

> OAuth resource tokens are short-lived
> -------------------------------------
>
>                 Key: KNOX-3038
>                 URL: https://issues.apache.org/jira/browse/KNOX-3038
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Blocker
>             Fix For: 2.1.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The tokens generated using the new OAuth resource (see KNOX-3028 for details) 
> have their expiration time in a format that indicates the time (in 
> milliseconds) from the epoch. This is wrong because the reaper thread will 
> eliminate them as soon as the next time it's triggered.
> It's also important to emphasize, that tokens generated on the path need some 
> sort of indication of this value in the response.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to