Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refresh_token_expires_in missing #1372

Open
0rsa opened this issue Jan 30, 2024 · 6 comments
Open

refresh_token_expires_in missing #1372

0rsa opened this issue Jan 30, 2024 · 6 comments
Labels
enhancement New feature or request Microsoft Entra ID Former Azure AD

Comments

@0rsa
Copy link

0rsa commented Jan 30, 2024

Good afternoon,
Calling the IdP /token (grant_type: authorization_code), I receive this attribute in the response:

refresh_token_expires_in: 3600

I cannot find this attribute in the repo source code and this attribute is lost in the oidc:user session storage.

Is there a reason for this attribute to be ignored by the library?

Thank you
@pamapa
Copy link
Member

pamapa commented Jan 31, 2024
edited
Loading

This library supports OAuth2.0/OIDC standard, which defines expires_in for access tokens. See https://openid.net/specs/openid-connect-core-1_0.html#CodeNotes.

The expires_in for refresh tokens is not yet implemented...

BTW: Which IDP are you using?

@pamapa pamapa added question Further information is requested enhancement New feature or request and removed question Further information is requested labels Jan 31, 2024
@pamapa
Copy link
Member

pamapa commented Jan 31, 2024

Looks like there is no refresh_token_expires_in in the OAuth2 standard defined...

@0rsa
Copy link
Author

0rsa commented Jan 31, 2024

I guess it's a Microsoft specificity
https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens

refresh_token_expires_in — The number of seconds remaining until the refresh token expires. Refresh tokens usually have a longer lifespan than access tokens.

@pamapa pamapa added the Microsoft Entra ID Former Azure AD label Jan 31, 2024
@pamapa
Copy link
Member

pamapa commented Feb 1, 2024

It would be quiet easy, what i do not like is that is not part of the spec...

similar to expires_in in must be added in these files:

  • oidc-client-ts/src/SigninResponse.ts

    Lines 70 to 82 in a3dcd7e

    public get expires_in(): number | undefined {
    if (this.expires_at === undefined) {
    return undefined;
    }
    return this.expires_at - Timer.getEpochTime();
    }
    public set expires_in(value: number | undefined) {
    // spec expects a number, but normalize here just in case
    if (typeof value === "string") value = Number(value);
    if (value !== undefined && value >= 0) {
    this.expires_at = Math.floor(value) + Timer.getEpochTime();
    }
    }

  • oidc-client-ts/src/User.ts

    Lines 82 to 93 in a3dcd7e

    public get expires_in(): number | undefined {
    if (this.expires_at === undefined) {
    return undefined;
    }
    return this.expires_at - Timer.getEpochTime();
    }
    public set expires_in(value: number | undefined) {
    if (value !== undefined) {
    this.expires_at = Math.floor(value) + Timer.getEpochTime();
    }
    }

@edwardmjackson
Copy link

Can I add a vote for this enhancement.

Keycloak also supports refresh_token_expires_in; and we're currently seeing behaviour where oidc-client-ts tries to renew an access token using a refresh_token that is known to be expired.

Happy to look into submitting a PR if it's likely to be accepted.

@edwardmjackson
Copy link

Approving this would also be a quick-fix to allow users of the library to implement refresh_token_expires_in ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Microsoft Entra ID Former Azure AD
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0rsa @pamapa @edwardmjackson