Add JWT token expiration at JWTSettings level - NominalDiffTime #1599
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ion in NominalDiffTime
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction
The ability to set expiration to the
JWT Tokeninservant-auth-serverlibrary, rests on theCookieSettingsdata type configuration and in particular in the fieldcookieExpiresas we can appreciate it here.Discussion
The problems regarding using this field for setting
JWT Tokenexpiration time are the following:CookieSettingsare usually created at application startup time and it keeps with the same values during the whole application life cycle. SincecookieExpiresis an absolute and deterministic point in time, futuresJWT Tokenswill contain precisely the same expiration time leading to an undesired behavior and expiring the token upon creation.CookieSettingsis a particular Data Type for all the cookies andJWT Tokenshould not be coupled to the rest of the cookies.JWT Tokenswith specificDiffTimeexpirations, like for example configure the authentication context to create a JWT that expires in 2 hours, even usingCookieSettings.cookieExpires.acceptLoginfunction and the creation of theCookieSettingsvalue every time the entity authenticates successfully, but this authentication setup is manual and cannot be done withBasicAuthenticationcombinator.Proposal
The proposal is implemented in this PR and includes the following changes:
expiresIn :: Maybe NominalDiffTimeinJWTSettingsMaybe UTCTimeparameter frommakeJWTfunction.makeJWTfunction usinggetCurrentTime + expiresInif it is present.Solution
JWTSettingsandCookieSettingsbut allow the user to set an optionalNominalDiffTimeto calculate the expiration of theJWT Tokenupon token creation if the value is present.acceptLoginand allowingBasicAuthenticationcontext to handle the creation of the token by itself.