New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
idtoken: provide option to validate token despite being expired #1315
Comments
Hey @agusterodin thanks for the feature request. I don't believe any of our language libraries allow this kind of flexibility around omit to validate the expiry of a token as it is critical to make sure the token is active to prevent misuse of old tokens. I will do some double checking but I think it is likely we will not move forward with this proposal at this time. In the meantime I would just vendor the library and refactor out expire check. The parsed token returned by the method will allow additional validations. |
Understandable. Much appreciated! |
Out of curiosity, what is your official suggestion on how to handle refresh token endpoint logic (checking whether or not previous token was valid)? Also I agree with you that maximum security should always be there by default. Definitely if the user didn't supply a boolean to skip expiry check I would default to enforcing expiry. Will vendor for now. Hope that this sort of thing makes its way to this library (or a viable alternative) in the future! |
Hey, I tried vendoring the library (https://github.com/agusterodin/google-api-go-client) by commenting out the offending lines. Unfortunately when I run My second attempt involved stripping the repository down to just the idtoken folder contents (https://github.com/agusterodin/google-idtoken). Unfortunately it gave me this error, not to mention that updating my fork will be a lot more difficult since the repositories have a completely different structure:
Any suggestions? |
The internal folders are where a lot of auth layer stuff happens. You are getting the error because you can't call code from another projects internal folder. You would need to have that copied over as well. |
Is your feature request related to a problem? Please describe.
I am implementing a refresh token endpoint. In order to decide what refresh token I should give out I first want to check the attached bearer token. I want to determine whether the bearer token is valid (properly signed but doesn't matter if expired or not) and want to be able to access the token's claims (particularly sub so I know which user it is). Right now an expired but validly signed token will completely fail and return an error.
Describe the solution you'd like
An boolean parameter for the
idtoken.Validate
function forallowExpired
. Either that or a parameter that allows you to define an object where you describe the validation steps you want to "opt-out" of / ignore.I think the allowExpired solution would be a lot simpler.
Describe alternatives you've considered
Implementing token validation and parsing entirely by myself which seems very difficult and leaves a lot of room for potential security holes / missed validation checks.
Additional context
N/A
The text was updated successfully, but these errors were encountered: