mitaroThanken / gwt-oauth2

Automatically exported from code.google.com/p/gwt-oauth2
Apache License 2.0
0 stars 0 forks source link

access_tokens without expires_in are immediately invallidated #11

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

4.2.2.  Access Token Response
...
   expires_in
         OPTIONAL.  The lifetime in seconds of the access token.  For
         example, the value "3600" denotes that the access token will
         expire in one hour from the time the response was generated.

If the expires_in parameter is omitted gwt-oauth2 will immediately invallidate 
the access_token on the next use. 

What is the expected output? What do you see instead?

It seems more logical that the token won't expire if the expires_in is ommited

What version of the product are you using? On what operating system?
0.2-alpha

Original issue reported on code.google.com by wolter.e...@gmail.com on 27 Oct 2011 at 1:14

GoogleCodeExporter commented 9 years ago
For reference, I believe this is the section you're referencing: 
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2.2

Unfortunately the spec is not clear about what should be done when the 
expiration isn't specified. Lacking a clear answer, I implemented it as being a 
one-time token. I don't know of any server implementations that issue tokens 
without any expiration (I'm really only familiar with the ones in the demo), 
but if there are any, I'm happy to consider changing my assumption to allow 
expiration-free tokens.

Original comment by jasonhall@google.com on 27 Oct 2011 at 3:12

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
may i know which file need to modify in order to make change the default 
expirary time?  what is the maximum can set?

Original comment by travalle...@gmail.com on 27 Dec 2011 at 1:34

GoogleCodeExporter commented 9 years ago
Is it correct just by changing expires_in=XXX in below file AuthRequest ?  what 
is the maximum can set?

  String toUrl(Auth.UrlCodex urlCodex) {
    return new StringBuilder(authUrl)
        .append(authUrl.contains("?") ? "&" : "?")
        .append("client_id").append("=").append(urlCodex.encode(clientId))
        .append("&").append("response_type").append("=").append("token")
        .append("&").append("scope").append("=").append(scopesToString(urlCodex))
        .toString();
  }

Original comment by travalle...@gmail.com on 27 Dec 2011 at 1:48

GoogleCodeExporter commented 9 years ago
In order to interpret the absence of an expiration such that a token does not 
immediately invalidate, you would have to edit line 88 of Auth.java: 
http://code.google.com/p/gwt-oauth2/source/browse/trunk/src/com/google/api/gwt/o
auth2/client/Auth.java#88

    if (info == null || info.expires == null || expiringSoon(info)) { <-------- THIS LINE
      // Token wasn't found, or doesn't have an expiration, or is expired or
      // expiring soon. Requesting access will refresh the token.
      doLogin(authUrl, callback);
    } else {
      // Token was found and is good, immediately execute the callback with the
      // access token.
      ...
   }

You would want to remove the info.expires == null check, since that means that 
lack of an expiration will immediately re-trigger login.

I will probably make this change myself, since, for example, the Foursquare API 
issues tokens that do not expire.

Original comment by jasonhall@google.com on 28 Dec 2011 at 6:42