Closed Bug 1388541 Opened 7 years ago Closed 7 years ago

Add an `expires` field to the response from oidcCredentials

Categories

(Taskcluster :: Services, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

Clients will need to renew before expiration.  https://wiki.mozilla.org/Security/Guidelines/OpenID_connect suggests that these tokens should be very temporary -- 15 minutes.  Without an expiration, clients are left with bad options:

 - fetch the issuing client and check its expires, and parse the certificate from the credentials, if present, in case it expires sooner

 - catch 401 errors from API calls and re-try them after fetching new credentials
Blocks: 1385363
No longer blocks: 1385363
Blocks: 1380028
Commits pushed to master at https://github.com/taskcluster/taskcluster-login

https://github.com/taskcluster/taskcluster-login/commit/b87ae2bc8ea11d2793209ce7b046ddd87965ded7
Bug 1388541: return an expiration for credentials

This allows users to know when the credentials need to be refreshed,
without trying to do tricky things to parse the credentials.

https://github.com/taskcluster/taskcluster-login/commit/8271cb1c648a6a985cc9dc948f1b2e761063346d
Merge pull request #52 from djmitche/bug1388541

Bug 1388541: return an expiration for credentials
Note that I added a bit of "slop" on the server side, so credentials will still work for a little while after the reported expires time. Long enough to allow an API call to complete if it began before the advertised expiration time, even in the face of some clock skew.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Login → Services
You need to log in before you can comment on or make changes to this bug.