Giters

auth0 / express-openid-connect

An Express.js middleware to protect OpenID Connect web applications.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

isExpired should not only check access token, but also provide possibility to validate for id token

awacode21 opened this issue · comments

commented

Describe the problem you'd like to have solved

Within our application we mainly use the access_token for api calls. But there are cases where we also need to deal with the id token. Both access token and id token can have different lifetimes.

express-openid-connect provides the isExpired() function to check for expiry and the refresh() function to refresh token. The refresh function provides updated access token and updated id token information. But the isExpired function only checks for expiry of the access token, it does not take into account the id token.

So when id token has a shorter lifetime than access token, we currently don't get aware of that id token might expired and that we should call the refresh function.

With this we only could take care to have always valid id_token when refreshing on every single request or as other option write our own isExpired function that takes both access token and id token into account. Or make sure that both tokens always have same lifetime, so id token gets refreshed when access token does. But this would limit us in configuration options

But i think this should be handled by the sdk and not worked around by the users of the sdk.

Describe the ideal solution

isExpired() provides the functionality to check expiry for both tokens.

Alternatives and current work-arounds

Option 1) Write your own isExpired() function to workaround.
Option 2) Set lifetime of both tokens to the same value, so id token gets updated alongside access token. (limits configuration options)
Option 3) refresh on every request

Additional information, if any

I discussed that topic with Auth0 Team Member (Saltuk Alakus) directly by Email conversation. He asked me to open this feature request cause he agreed this should be handled by express-openid-connect itself.

commented

Hi @awacode21 - thanks for raising this

The intended use of the ID Token's exp claim is to prevent you from establishing an authenticated session with the RP after the expiration time has passed. (See the spec, notably "the time on or after which the ID Token MUST NOT be accepted for processing.")

Therefore it should only be used when establishing a session (this happens in the callback route). It's often confused that "exp" also limits the authenticated session length, but it doesn't (see also https://bitbucket.org/openid/connect/issues/1002/clarify-meaning-of-exp-claim-in-id-token)

But there are cases where we also need to deal with the id token

If you are using the ID Token's expiry for something else, that's fine - but this is an openid connect SDK and so follows the intended usage of the ID Token's exp claim in the openid connect specification.

commented

Closing as I believe #444 (comment) answers your question