No Ability to override access token expiration

[kgoto1]

It seems the config AccessTokenLifespan is always set for access_token expiration, although I can override refresh token expiration using the session. Whatever is set in the session ExpiresAt gets overwritten with the following line, so it seems we can't customize access_token length? It seems removing the second line would open up more options to customize per client, etc.

flow_authorize_code_token.go: Line 69
request.GetSession().SetExpiresAt(fosite.AccessToken, time.Now().Add(c.AccessTokenLifespan))

[aeneasr]

If you're using the default session, any previous value should not be overriden, see this line

[kgoto1]

I'm using the openid.DefaultSession which has the same logic.
Hmm, but maybe I am not understanding this line.
https://github.com/ory/fosite/blob/master/handler/oauth2/flow_authorize_code_token.go#L64
It seems to always set expiresAt to c.AccessTokenLifespan, which you define once per provider instance.

maybe that line should be....
request.GetSession().SetExpiresAt**(getExpiresAt(authorizeRequest, fosite.AccessToken,
c.AccessTokenLifespan, time.Now()))**

then it would check for an existing expiresAt value??
edit: Actually... that line should just be removed, since the previous line is... :)
request.SetSession(authorizeRequest.GetSession())

[aeneasr]

Right, here's what I missed: You need to set the expiry of the session after calling NewAccessRequest(ctx context.Context, req *http.Request, session Session) (AccessRequester, error), not before - otherwise it get's overwritten. This is of course not ideal and the setter should only set the value if no previous value exists. Putting the expiry after NewAccessRequest should "hotfix" that though.

[kgoto1]

Thanks, I was able to work around the problem with your suggestion. It would be helpful to document somewhere how expiry setting should work... I am setting this in the session on the initial /authorize handler, but it seems this could also be set in the /token handler, both take sessions by the fosite handlers and persisted. I'm not sure which is more standard or will be better supported.

[kujenga]

@arekkas I started a branch fixing this issue: master...kujenga:no-override-token-expiration

Do you have advice on how to test this, and what a good location would be to better document the behavior?

[aeneasr]

Nice, that looks good. Most of those flows have tests where the behaviour is checked quite thorougly, you could probably add another test case (or two) with expected in/outputs (e.g. input with time / expect output with same time, input without time / expect output with default time)

[aeneasr]

Regarding docs, maybe we could add an "FAQ", "Gotchas", or "Knowledge Base" section to the readme?

[mitar]

Two additional things for FAQ would be:

• How to handle audiences.
• That if you forget to call ar.GrantScope(scope) in your authorization endpoint for at least openid, OpenID breaks in very cryptic ways across various flows (some succeed, but do not return ID token, some say no handler was able to process the request, etc.).