Open sburton84 opened 5 years ago
Related to #324 though I'm not sure if this was ever resolved or not? The comments there suggest so, but your repro suggests it doesn't...
Ah, I didn't see that issue, it does sound like the same thing. It sounds like they just worked around the issue by using hasValidIdToken
as well as hasValidAccessToken
, but this is only a workaround as the two tokens aren't necessarily guaranteed to have the same expiration.
Describe the bug When receiving an access token only the
expires_in
field in the OIDC response is honoured, if there is anexp
field within the access token JWT itself this is ignored, which results in no expiry being stored if there is noexpires_in
field, even when the expiry is specified in the JWT.To Reproduce Steps to reproduce the behavior:
expires_in
field but has anexp
field within theaccess_token
JWTgetAccessTokenExpiration
null
Expected behavior
getAccessTokenExpiration
should return a non-null result containing the expiry from theexp
field within the JWT.