Describe the bug
The _get_token_from_authentication_server interprets the expire date wrong. The token is read from content['exp'] which is defined as NumericDate which in turn is defined as UNIX UTC Timestamp (seconds since epoch). The exp is converted to a date using utcfromtimestamp followed by make_aware to turn it into a timezone aware date. The latter uses the timezone as chosen for you project, while it should use the UTC timezone. Now given a timezone +2 and an access token which expires after an hour, the access token will be invalid because it's in the past.
To Reproduce
Setup identity provider that serves access token with ACCESS_TOKEN_EXPIRE_SECONDS set to 3600
Setup a resource server with timezone set to TIME_ZONE = "Europe/Amsterdam" (+2)
Request Access Token and try to access Resource Server
Access Token is always expired
Expected behavior
Access token is invalid
Version
django-oauth-toolkit==2.3.0
[x] I have tested with the latest published release and it's still a problem.
[x] I have tested with the master branch and it's still a problem.
Additional context
It's rather easy to fix changing:
- expires = make_aware(expires) if settings.USE_TZ else expires`
+ expires = make_aware(expires, timezone=pytz.UTC) if settings.USE_TZ else expires`
For backwards compatibility it would be better to has a setting which allows you to changes the timezone specifically for the expire token.
Describe the bug The
_get_token_from_authentication_server
interprets the expire date wrong. The token is read fromcontent['exp']
which is defined as NumericDate which in turn is defined as UNIX UTC Timestamp (seconds since epoch). Theexp
is converted to a date usingutcfromtimestamp
followed bymake_aware
to turn it into a timezone aware date. The latter uses the timezone as chosen for you project, while it should use the UTC timezone. Now given a timezone +2 and an access token which expires after an hour, the access token will be invalid because it's in the past.To Reproduce
Expected behavior Access token is invalid
Version django-oauth-toolkit==2.3.0
Additional context It's rather easy to fix changing:
For backwards compatibility it would be better to has a setting which allows you to changes the timezone specifically for the expire token.