search

joshsoftware / sso-devise-omniauth-provider

A devise Omniauth server which handles Single Sign On
http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/
MIT License
251 stars 74 forks source link

AccessToken expiry... #7

Open brockgr opened 12 years ago

brockgr commented 12 years ago

In the AuthController, when a client is granted an access token (an AccessGrant instance) and start_expiry_period! is called, an expiry of two days is stored in the database. However the AuthController then goes on to send an expires_in of Devise.timeout_in to the client, which in my case seems to be 30 minutes.

Unless I'm mistaken (which is quite possible!), shouldn't the expires_in be read from the AccessGrant, or both of theses read from Devise.timeout_in?

If you have a preference for which, I'll put in a pull request.

Regards,

Gavin

gautamrege commented 12 years ago

You're right. I would rather keep expires_in as Devise.timeout_in.

Do send me a pull request.

brockgr commented 12 years ago

Please find the referenced pull to set the AccessGrant life.

I'm suspecting there is still more work to do regarding renewing expiring tokens - there is currently no handling of refreshes - is that right? From what I see, the oauth2 client will call the auth_controller access_token with "grant_type"=>"refresh_token" and the refresh_token. It seems that the auth-provider will need to handle that.

gautamrege commented 12 years ago

Yup - I dont think I handle a token refresh.

When I set this up the first time (earlier version of oauth), refresh_token call was redirecting to a sign-in (i.e. refresh was not working at all). I upgraded to the latest oauth2 version but I guess that got left out - thanks for pointing it out.

I'll fix that.

http://www.joshsoftware.com http://blog.joshsoftware.com

Josh Software Pvt. Ltd. Block-6, Thube Park, Shivajinagar, Pune - 411005, India Office: +91-20-25539995 Mobile: +91-9881395656 Skype: gautam14 Twitter: @gautamrege LinkedIn: http://in.linkedin.com/in/gautamrege

On Tue, Feb 7, 2012 at 11:05 AM, Gavin Brock < reply@reply.github.com

wrote:

Please find the referenced pull to set the AccessGrant life.

I'm suspecting there is still more work to do regarding renewing expiring tokens - there is currently no handling of refreshes - is that right? From what I see, the oauth2 client will call the auth_controller access_token with "grant_type"=>"refresh_token" and the refresh_token. It seems that the auth-provider will need to handle that.

Reply to this email directly or view it on GitHub:

https://github.com/joshsoftware/sso-devise-omniauth-provider/issues/7#issuecomment-3842908