Project

General

Profile

Actions
Copy link

Bug #35690

open

API returns expires_at field in token but expires_at isn't valid

Added by Brendan Shephard over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Summary:

`expires_at` isn't a valid field in the OAuth RFC. Foreman should instead return `expires_in`:
https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2

Reproducer:
1. Request a OAuth token from Foreman
2. See that it includes the expires_at field:
``` {'token': '$2a$09$1b6453892473a467d0737uJ56J02CLEXEkOaX0pdLWgLMlg.qWDSi',
'expires_at': '2022-10-28T04:54:58.296Z',
'issued_at': '2022-10-17T23:45:09.306Z'}
```

This was introduced here:
https://github.com/theforeman/foreman/pull/1321/commits/543ffa6e4cb84b3e5adce096c2afd3edcbfd0a9a

Expected Behaviour:
We shouldn't be returning `expires_at` since it doesn't appear in the RFC for OAuth. Instead, we should be returning `expires_in` as described:
https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2

Impact:
Not adhering to the RFC makes it hard to integrate platforms with Foreman. For example:
https://bugzilla.redhat.com/show_bug.cgi?id=2134075

No data to display

Actions
Copy link

Also available in: Atom PDF