-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] fix: correctly respect client expiry #2122
base: main
Are you sure you want to change the base?
Conversation
expect(mockFetch).toHaveBeenCalled(); | ||
}); | ||
|
||
it("registers a new client if the one in storage has no expiry stored", async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@NSeydoux I think this is what we'll want, because otherwise someone may have a valid client, but we hadn't stored the expiry, in which case registering a new client resolves that missing expiry.
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 3280347:
|
const infoToSave: Record<string, string> = { | ||
clientId: registeredClient.metadata.client_id, | ||
idTokenSignedResponseAlg: | ||
registeredClient.metadata.id_token_signed_response_alg ?? signingAlg, | ||
}; | ||
if (registeredClient.metadata.client_secret) { | ||
infoToSave.clientSecret = registeredClient.metadata.client_secret; | ||
infoToSave.clientExpiresAt = clientExpiresAt.toString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we may always want to store this, though technically client_secret_expires_at
is only returned if a client_secret
is returned: https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse
@@ -143,18 +149,30 @@ export default class ClientRegistrar implements IClientRegistrar { | |||
} | |||
); | |||
|
|||
let clientExpiresAt = 0; | |||
if ( | |||
typeof registeredClient.metadata.client_secret_expires_at === "number" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: openid-client
doesn't actually verify that client_secret_expires_at
is present and that it is in the future, I've added a set of checks in oidc-client-ext to verify these for the browser, but for server we don't currently have these checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In theory here we could receive back a client with a client_secret_expires_at
in the past, if the users' clock time on their server is ahead of the IdP's clock time.
Can we assume that users and IdP's can configure their servers to have a synchronised clock time?
const mockFetch = (jest.fn() as any).mockResolvedValueOnce( | ||
/* eslint-disable camelcase */ | ||
new NodeResponse( | ||
JSON.stringify({ | ||
client_id: "some id", | ||
client_secret: "some secret", | ||
// Expire this client in 5 seconds: | ||
client_secret_expires_at: currentTime / 1000 + 5, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want a test for the behaviour when client_secret_expires_at
is in the past, as the registerClient
would fail in this case, which would likely blow up the code for ClientRegistrar in browser.
bfb6eab
to
5da7478
Compare
c153424
to
3280347
Compare
E2E tests are currently failing because of how the |
sessionInfo.issuer === undefined | ||
) { | ||
return null; | ||
} | ||
|
||
// FIXME: verify client is still valid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is actually taken care of by ClientRegistrar — if the client isn't valid, then a new one will be requested.
Valid Client: has clientId & clientExpiresAt == 0 or clientExpiresAt > now
…ferent types This helps with ensuring only the correct options are to a given client type
4d46bc5
to
94daee1
Compare
This PR fixes the bug where dynamically registered clients did not expire, despite the server indicating that they should expiry at a given time.