Closed
Bug 1388541
Opened 7 years ago
Closed 7 years ago
Add an `expires` field to the response from oidcCredentials
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
Clients will need to renew before expiration. https://wiki.mozilla.org/Security/Guidelines/OpenID_connect suggests that these tokens should be very temporary -- 15 minutes. Without an expiration, clients are left with bad options: - fetch the issuing client and check its expires, and parse the certificate from the credentials, if present, in case it expires sooner - catch 401 errors from API calls and re-try them after fetching new credentials
Comment 2•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/b87ae2bc8ea11d2793209ce7b046ddd87965ded7 Bug 1388541: return an expiration for credentials This allows users to know when the credentials need to be refreshed, without trying to do tricky things to parse the credentials. https://github.com/taskcluster/taskcluster-login/commit/8271cb1c648a6a985cc9dc948f1b2e761063346d Merge pull request #52 from djmitche/bug1388541 Bug 1388541: return an expiration for credentials
Assignee | ||
Comment 3•7 years ago
|
||
Note that I added a bit of "slop" on the server side, so credentials will still work for a little while after the reported expires time. Long enough to allow an API call to complete if it began before the advertised expiration time, even in the face of some clock skew.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Login → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•