Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

session_cookie::create cannot create long lived cookies #28

Open
forficate opened this issue Aug 31, 2021 · 2 comments
Open

session_cookie::create cannot create long lived cookies #28

forficate opened this issue Aug 31, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@forficate
Copy link

Describe the bug
The createSessionCookie REST API supports a validDuration between five minutes and fourteen days. Ref https://cloud.google.com/identity-platform/docs/reference/rest/v1/projects/createSessionCookie

Using session_cookie::create to obtain a session cookie it is not possible to retrieve a cookie with a duration greater than sixty minutes.

This is caused because of the below line which reuses the cookie duration when requesting a OAuth token.

        let assertion = crate::jwt::session_cookie::create_jwt_encoded(credentials, duration)?;

The request for the OAuth token (POST https://accounts.google.com/o/oauth2/token) with a duration greater than sixty minutes will return:

{
  "error":"invalid_grant",
  "error_description":"Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim."
}

Specifying a duration less than sixty minutes for session_cookie::create will work as expected.

I propose that as the a oauth token is requested every time session_cookie::create is called the JWT duration for getting the oauth token should be reduced to a constant between one to five minutes.

To Reproduce
Steps to reproduce the behavior:

  1. call session_cookie::create with a duration more than sixty minutes.

Expected behavior
A duration between five and fourteen days should return successfully.
@forficate forficate added the bug Something isn't working label Aug 31, 2021
forficate added a commit to forficate/firestore-db-and-auth-rs that referenced this issue Aug 31, 2021
@forficate
Fixes davidgraeff#28 davidgraeff#28, allow cookie greater than sixty …
6bbc19d 
…minutes.
@forficate forficate mentioned this issue Aug 31, 2021
Closed
forficate added a commit to forficate/firestore-db-and-auth-rs that referenced this issue Aug 31, 2021
@forficate
Fixes davidgraeff#28 davidgraeff#28, allow cookie greater than sixty …
3de9d7f 
…minutes.

Signed-off-by: Adam Evans <[email protected]>
@davidgraeff
Copy link
Owner

Maybe it makes sense to have two duration parameters (oauth token 1..60 minutes and cookie duration 1min..14 days) for the create method? I'm not sure if everyone would appreciate if we settle on a fixed time. That could case more traffic, or more latency in certain scenarios. Wdyt?

@forficate
Copy link
Author

Two config params would be good if the method is updated to reuse the assertion jwt if already issued and valid.

At the moment the assertion jwt can't be reused as initiated for every call to session::create so two parameters with the current implmentation would have no effect traffic wise from what I can work out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@davidgraeff @forficate