[OPENIG-1491] OAuth2: expires_in field is recommended, not mandatory Created: 21/Nov/16  Updated: 11/Apr/17  Resolved: 22/Nov/16

Status: Closed
Project: Identity Gateway
Component/s: OAuth 2.0
Affects Version/s: 5.0.0
Fix Version/s: 5.0.0

Type: Bug Priority: Major
Reporter: Joachim Andres Assignee: Violette Roche Montane
Resolution: Fixed Votes: 0
Labels: 5.0-Must, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: OpenIG Sprint 93 (last dev)

 Description   

In access token response, the expires_in field is recommended but not mandatory. However responses without this field are rejected.

Below a response from Salesforce AS :

10:07:44:949 | ERROR | I/O dispatcher 13 | o.f.o.f.o.c.OAuth2ClientFilter | An error occurred in the OAuth2 process
org.forgerock.openig.filter.oauth2.client.OAuth2ErrorException: error="server_error", error_description="'expire_in' field value is neither a Number nor a String"
        at org.forgerock.openig.filter.oauth2.client.OAuth2Session.stateAuthorized(OAuth2Session.java:206)
        at org.forgerock.openig.filter.oauth2.client.OAuth2ClientFilter$2.apply(OAuth2ClientFilter.java:545)
        at org.forgerock.openig.filter.oauth2.client.OAuth2ClientFilter$2.apply(OAuth2ClientFilter.java:542)
        at org.forgerock.util.promise.PromiseImpl$5.handleStateChange(PromiseImpl.java:394)
        at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
        at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:608)
{
	"access_token": "00D0Y000000aebR!AR4AQDvgXYRiao8boa7JsDcvQlWqcDqppuzRf_fndrk.KLByW2ho7rDaS5Q9BCvG4WLdtrI8DQ.T2ESEaoRNHKPsYlP4z7Od",
	"signature": "hXoIjxFpIxAOO1wmfTbd0zg9OVfYG9Y1h8hQ+JaP8OM=",
	"scope": "openid id",
	"id_token": "eyJraWQiOiIyMDQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiTkxTdDlhT0ZpaGtBLWJqUWhZVXZOdyIsInN1YiI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vaWQvMDBEMFkwMDAwMDBhZWJSVUFRLzAwNTBZMDAwMDAwSjlHVFFBMCIsImF1ZCI6IjNNVkc5SHhSWnYwNUhhclQyS3NXTTl1dHY2bldNLkdfa3diYXMuR1hYbVYyMFZab1BJcVBiUmpMaURwLjF2QzRScTJseDJEdWc2WWFhbFpRNU9qaVgiLCJpc3MiOiJodHRwczovL2xvZ2luLnNhbGVzZm9yY2UuY29tIiwiZXhwIjoxNDc5NzIyOTg0LCJpYXQiOjE0Nzk3MjI4NjR9.dDmVLE5_ZET2vJoOuUQTTgCNqHNIQDRXyc8icNCqc4CDW_0PYEqUbrCA05AmjKjUHdGHWQLMky88-cFK9wRjzA9WdsghsXM9Z7nZFmm8Av7feNq99mreA9zkCkEbXrtYqtZRKVybdZ9CVY-n2dCRipelyy_73Awws4YQCymlQmlk1vE-8LsYwO9r735Yq0xp0m07JJbYtaPLRQtF9t5HDcmgxXCRQK9Tv--IlvQPOLSIVMJNYoHbzeWDw7fOFm6fLKpPCUhkNIHqLtKVLL5yYIelSHvUE3T5_3s2dggqyR8UG_z7uHeJUs5FumkR2yXu_7BXpLgrvjq9MFOyILH6A3QSjH66AI2xFLceDdLO7-HhdIhBzUJ8-lAYYb-kij2f6yD9U8PDjPMoVBUDvc46doL0LQw9_r2NHrALlLQQc3U1THQYLMScuc_JVkF1BnqaocS_CmLNOfs6fOZhY-DsJfHWE0sBCNNeEj8_kdZSUYRf3DX0dCL61deCRPA40gBPHlJgSTEVVNk3ayGBcDOR2KYMrsVi3RN9nNNcttT-WoFoMuA_7_P571pjibpH2K6qGfCvy-B7_16gczdxnsdogKGhDVGC5gbJ0hPUaltL5fRn_gxZ97EFhcKd5av06K_jT87-x0MnNjYDMd1q9bf7kbXy8F1F89KeYNjEse82uvI",
	"instance_url": "https://eu11.salesforce.com",
	"id": "https://login.salesforce.com/id/00D0Y000000aebRUAQ/0050Y000000J9GTQA0",
	"token_type": "Bearer",
	"issued_at": "1479722864748"
}



 Comments   
Comment by Guillaume Sauthier [ 21/Nov/16 ]

From the OAuth 2.0 Spec:

expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.

Comment by Jean-Charles Deville [ 11/Apr/17 ]

Release 5.0.0 (+cleanup):
Close issues that have been tagged with "Not a Defect" or "won't Fix"
Close issue that are now tested in automated tests

Generated at Mon Sep 21 16:37:03 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.