apps-script-oauth2 icon indicating copy to clipboard operation
apps-script-oauth2 copied to clipboard
verified publisher icon googleworkspace

JWT token that doesn't supply expiration is assumed as valid

Open jonathanwiesel opened this issue 4 years ago • 2 comments

When a token response does not supply the current detected attributes for token expiration (expires_in_sec, expires_in, expires) the token is assumed to be valid.

jonathanwiesel avatar Nov 19 '21 08:11 jonathanwiesel

Need more information for this to be actionable. Can you provide a sample of where you think this is an issue?

AFAICT non-expiring JWTs are allowed (although strongly discouraged) and it's not clear what, if any, changes should be made to the library.

sqrrrl avatar Jan 25 '22 23:01 sqrrrl

Sure thing, the hasAccessmethod is checking the isExpired method, which checks for specific attributes (expires_in_sec, expires_in, expires) to determine expiration, in case there's no expiration supplied (rare but could happen) or the expiration attribute name is different than the currently configured ones (for example exp) the method returns false, therefore considering it not expired.

Would be great that in case a different expiration attribute is supplied by a system it could be at least supplied as configuration

jonathanwiesel avatar Feb 02 '22 08:02 jonathanwiesel