IdentityModel.AspNetCore.OAuth2Introspection icon indicating copy to clipboard operation
IdentityModel.AspNetCore.OAuth2Introspection copied to clipboard

Published 20 hours ago verified publisher icon IdentityModel

feat: add possibility to ignore missing "exp" claim in introspection

Open buehler opened this issue 2 years ago • 7 comments

Hey there!

I'm currently having an issue with an identity provider that does not return the "exp" claim in the introspection response. Since the "exp" claim is not required by the RFC, this may happen to other identity providers.

This option should allow a configuration to ignore the fact that the exp claim is missing.

Then, the default duration is used.

buehler avatar Jul 18 '22 13:07 buehler

Thanks! We will look into it.

leastprivilege avatar Jul 22 '22 08:07 leastprivilege

ping @leastprivilege :-)

buehler avatar May 02 '23 07:05 buehler

@brockallen Could you review?

Not sure we need an additional option - if no exp claim is present, the default cache duration could be used?!

leastprivilege avatar May 02 '23 10:05 leastprivilege

Not sure we need an additional option - if no exp claim is present, the default cache duration could be used?!

Which default cache duration? Of the cache implementation itself?

brockallen avatar May 02 '23 18:05 brockallen

https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection/blob/main/src/OAuth2IntrospectionOptions.cs#L109

leastprivilege avatar May 02 '23 19:05 leastprivilege

Ok, missed that... so yea, agreed on:

Not sure we need an additional option - if no exp claim is present, the default cache duration could be used?!

brockallen avatar May 02 '23 19:05 brockallen

Hey @brockallen, @leastprivilege

I changed the logic according to your comments. I removed the additional options field and "just" removed the expClaim null check. Now if there is no exp claim, the passed duration TimeSpan is used.

buehler avatar May 05 '23 07:05 buehler