firestore-db-and-auth-rs icon indicating copy to clipboard operation
firestore-db-and-auth-rs copied to clipboard

Published 20 hours ago verified publisher icon davidgraeff

session_cookie::create cannot create long lived cookies

Open forficate opened this issue 4 years ago • 2 comments

Describe the bug The createSessionCookie REST API supports a validDuration between five minutes and fourteen days. Ref https://cloud.google.com/identity-platform/docs/reference/rest/v1/projects/createSessionCookie

Using session_cookie::create to obtain a session cookie it is not possible to retrieve a cookie with a duration greater than sixty minutes.

This is caused because of the below line which reuses the cookie duration when requesting a OAuth token.

        let assertion = crate::jwt::session_cookie::create_jwt_encoded(credentials, duration)?;

The request for the OAuth token (POST https://accounts.google.com/o/oauth2/token) with a duration greater than sixty minutes will return:

{
  "error":"invalid_grant",
  "error_description":"Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim."
}

Specifying a duration less than sixty minutes for session_cookie::create will work as expected.

I propose that as the a oauth token is requested every time session_cookie::create is called the JWT duration for getting the oauth token should be reduced to a constant between one to five minutes.

To Reproduce Steps to reproduce the behavior:

  1. call session_cookie::create with a duration more than sixty minutes.

Expected behavior A duration between five and fourteen days should return successfully.

forficate avatar Aug 31 '21 09:08 forficate

Maybe it makes sense to have two duration parameters (oauth token 1..60 minutes and cookie duration 1min..14 days) for the create method? I'm not sure if everyone would appreciate if we settle on a fixed time. That could case more traffic, or more latency in certain scenarios. Wdyt?

davidgraeff avatar Sep 14 '21 19:09 davidgraeff

Two config params would be good if the method is updated to reuse the assertion jwt if already issued and valid.

At the moment the assertion jwt can't be reused as initiated for every call to session::create so two parameters with the current implmentation would have no effect traffic wise from what I can work out.

forficate avatar Sep 17 '21 00:09 forficate