Re: UAA: How to set client_credentials token grant type to not expire

Home Messages Hashtags Subgroups

#1243

Re: UAA: How to set client_credentials token grant type to not expire

Paul Bakare #1243 Thank you. Needed to update to make this work. uaac client update useraccount --access_token_validity 315360000 toggle quoted message Show quoted text On Fri, Jul 31, 2015 at 4:19 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: Start a local server (./gradlew run --info) In another console, the following commands 1. uaac target http://localhost:8080/uaa 2. uaac token client get admin -s adminsecret 3. uaac client add testclient --authorized_grant_types client_credentials --access_token_validity 315360000 --authorities openid -s testclientsecret 4. uaac token client get testclient -s testclientsecret 5. uaac token decode The output from the last command is jti: 7397c7c9-de08-4b33-bd6a-0d248fd983b1 sub: testclient authorities: openid scope: openid client_id: testclient cid: testclient azp: testclient grant_type: client_credentials rev_sig: fbc56677 iat: 1438351964 exp: 1753711964 iss: http://localhost:8080/uaa/oauth/token zid: uaa aud: testclient openid The exp time is 1753711964, that is seconds from Jan 1st, 1970, and corresponds to July 28, 2025 On Fri, Jul 31, 2015 at 12:57 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote: Filip, Here's my client config: useraccount scope: clients.read oauth.approvals openid password.write tokens.read tokens.write uaa.admin resource_ids: none authorized_grant_types: authorization_code client_credentials password refresh_token authorities: scim.read scim.userids uaa.admin uaa.resource clients.read scim.write cloud_controller.write scim.me clients.secret password.write clients.write openid cloud_controller.read oauth.approvals access_token_validity: 315360000 autoapprove: true Gotten from `uaac clients` I really do not know what else I might be doing wrongly. Does `test_Token_Expiry_Time()` also cover for client_credentials grant type? I tried running the test with `./gradlew test -Dtest.single=org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests` and placed debuggers in order to view the generated expiration time. Nothing was printed in the test results. On Wed, Jul 29, 2015 at 6:11 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: exp is expected to be 1753544877 when decoded. Unfortunately, this test fails, as exp reads 1438228276 most likely your client does not have the access token validity setup correctly. See the test case I posted that validates my statements https://github.com/cloudfoundry/uaa/commit/f0c8ba99cf37855fec54b74c07ce19613c51d7e9#diff-f7a9f1a69eec2ce4278914f342d8a160R883 On Wed, Jul 29, 2015 at 9:57 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote: Good. But my apologies. Assume: creation time = 1438184877 access token validity (set by me) = 315360000 exp is expected to be 1753544877 when decoded. Unfortunately, this test fails, as exp reads 1438228276 On Wed, Jul 29, 2015 at 5:43 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: If I set the access_token_validity to 315569260, I'm expecting the token when decoded to read exp: 315569260. If this is not, then is it possible to set the token expiry time? It's a little bit different. access_token_validity is how long the token is valid for from the time of creation. thus we can derive exp (expiration time) = token creation time + access token validity you don't get to set the expiration time, since that doesn't make sense as the clock keeps ticking forward. in your case, having access token validity be 10 years, achieves exactly what you want Filip On Wed, Jul 29, 2015 at 9:36 AM, Kayode Odeyemi <dreyemi(a)gmail.com> wrote: Thanks again Filip. However, here's what I mean, If I set the access_token_validity to 315569260, I'm expecting the token when decoded to read exp: 315569260. If this is not, then is it possible to set the token expiry time? line 906 sets the value to 1438209609 when the token is decoded and I believe that's what the check_token service also checks. expirationTime1000l occurs after the token has been decoded (whose exp value is set to 1438209609) Now the question is why do you have to do expirationTime1000l since the token when decoded originally set's this value to 1438209609 (without * 1000l) Except I'm completely getting this all wrong? _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev attachment.html attachment.html
More All Messages By This Member

View All 13 Messages In Topic

#1243

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms