search

golang / oauth2

Go OAuth2
https://golang.org/x/oauth2
BSD 3-Clause "New" or "Revised" License
5.38k stars 990 forks source link

Token expiration tolerance should be configurable #249

Open CSEMike opened 7 years ago

CSEMike commented 7 years ago

The expiryDelta used to calculate token validity is fixed at 10 seconds. https://github.com/golang/oauth2/blob/master/token.go#L21

This issue tracks making this value configurable. Why? To support scenarios where the token may be not be used until >10s in the future.

Token validity is used to refresh cached values, e.g., https://github.com/golang/oauth2/blob/master/oauth2.go#L260

An alternative API would be to support invalidation of the token cache. But, in either case, a way to configure the max acceptable age of a token is necessary to avoid corner cases when expiration is near.

narqo commented 7 years ago

👍 for the issue.

My usecase is to force refresh stored tokens and I need to have custom expiryDelta.

Another possible solution might be to expose tokenRefresher, so one would have much more control over the refreshment process.

fharding1 commented 5 years ago

I've opened a PR that would accommodate this issue here: https://github.com/golang/oauth2/pull/396

andig commented 1 year ago

This is really needed. Some OAuth services have expiry of access token=refresh token which makes using standard library oauth impossible.

andig commented 1 year ago

An alternative API would be to support invalidation of the token cache. But, in either case, a way to configure the max acceptable age of a token is necessary to avoid corner cases when expiration is near.

Yet another option would be to expose the capability to refresh the token on demand. If you consider the case above I'd still need to trigger token requests within the expiry delta to actually refresh. Could as well just invoke the exposed Refresh() capability.

andig commented 1 year ago

Note: this issue actually looks a lot like https://github.com/golang/oauth2/commit/4abfd87339731bbbde108264890e9636453bf0f9.

/cc @codyoss @rolandshoemaker any chance to move this forward?

andig commented 1 year ago

Going through the commits it seems we could already do this with https://github.com/golang/oauth2/commit/1e7f32936487c0d8052d63fd32d84f4c1121986e.

andig commented 1 year ago

That said: looks like this issue could be closed @CSEMike