comparison mod_http_oauth2/mod_http_oauth2.lua @ 5646:d67980d9e12d

mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime of the grant, but the refresh token ttl was applied to the grant and mod_tokenauth does not change it, leading to the grant expiring regardless of refresh token usage. This makes grant lifetimes unlimited, which seems to be standard practice in the wild.
author Kim Alvefur <zash@zash.se>
date Mon, 11 Sep 2023 10:48:31 +0200
parents 73c3d5bfce3e
children bbde136a4c29
comparison
equal deleted inserted replaced
5645:f16edebb1305 5646:d67980d9e12d
270 end 270 end
271 271
272 local grant = refresh_token_info and refresh_token_info.grant; 272 local grant = refresh_token_info and refresh_token_info.grant;
273 if not grant then 273 if not grant then
274 -- No existing grant, create one 274 -- No existing grant, create one
275 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); 275 grant = tokens.create_grant(token_jid, token_jid, nil, token_data);
276 end 276 end
277 277
278 if refresh_token_info then 278 if refresh_token_info then
279 -- out with the old refresh tokens 279 -- out with the old refresh tokens
280 local ok, err = tokens.revoke_token(refresh_token_info.token); 280 local ok, err = tokens.revoke_token(refresh_token_info.token);
282 module:log("error", "Could not revoke refresh token: %s", err); 282 module:log("error", "Could not revoke refresh token: %s", err);
283 return 500; 283 return 500;
284 end 284 end
285 end 285 end
286 -- in with the new refresh token 286 -- in with the new refresh token
287 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, nil, "oauth2-refresh"); 287 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh");
288 288
289 if role == "xmpp" then 289 if role == "xmpp" then
290 -- Special scope meaning the users default role. 290 -- Special scope meaning the users default role.
291 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); 291 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
292 role = user_default_role and user_default_role.name; 292 role = user_default_role and user_default_role.name;