-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Implement Token Expiry Check and Refresh using Refresh Tokens #310
base: master
Are you sure you want to change the base?
Conversation
public class OicCredentials { | ||
private String accessToken; | ||
private IdToken idToken; | ||
private String refreshToken; |
Check warning
Code scanning / Jenkins Security Scan
Jenkins: Plaintext password storage
import java.time.Clock; | ||
|
||
public class OicCredentials { | ||
private String accessToken; |
Check warning
Code scanning / Jenkins Security Scan
Jenkins: Plaintext password storage
58a8807
to
e737987
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #310 +/- ##
============================================
- Coverage 73.35% 69.18% -4.18%
- Complexity 211 220 +9
============================================
Files 10 11 +1
Lines 882 980 +98
Branches 124 138 +14
============================================
+ Hits 647 678 +31
- Misses 172 232 +60
- Partials 63 70 +7 ☔ View full report in Codecov by Sentry. |
Hi @michael-doubez, this is a working draft where the most basic and common functionality works:
Now, before I move on to update documentation and write some tests, I'd like to get some feedback if the approach is correct. In addition, I have additional points that I have noticed but not sure if I should handle or how to handle at all.
Just for fun, without any activity I keep my jenkins tab opened and UI triggers a lot of requests every x seconds, resulting in at least 2 token refresh requests without any activity
Any additional feedback is welcome. |
Hello, Thanks for the work. You can ignore the warnings about secret leaking, they are mostly irrelevant. There are a lot of features in the PR. I would break them down into:
I should be able to review in depth and (hopefuly) provide relevant feedback next Sunday. |
Hello, I believe I have handled most of the use-cases except the logout. The question remains on how do we proceed. Answering the points in the order they were raised
Back to the first point, we can implement additional features if needed, namely
|
@krezovic the change looks good to me. What bothers me most is the idtoken kept in the session information. It should be removed and kept only in the credentials but that can be ironed out later. |
DO NOT MERGE. Initial RFC for approach.
Testing done
Submitter checklist