oauth2
oauth2 copied to clipboard
golang
Token expiration tolerance should be configurable
The expiryDelta used to calculate token validity is fixed at 10 seconds. https://github.com/golang/oauth2/blob/master/token.go#L21
This issue tracks making this value configurable. Why? To support scenarios where the token may be not be used until >10s in the future.
Token validity is used to refresh cached values, e.g., https://github.com/golang/oauth2/blob/master/oauth2.go#L260
An alternative API would be to support invalidation of the token cache. But, in either case, a way to configure the max acceptable age of a token is necessary to avoid corner cases when expiration is near.
👍 for the issue.
My usecase is to force refresh stored tokens and I need to have custom expiryDelta.
Another possible solution might be to expose tokenRefresher, so one would have much more control over the refreshment process.
I've opened a PR that would accommodate this issue here: https://github.com/golang/oauth2/pull/396
This is really needed. Some OAuth services have expiry of access token=refresh token which makes using standard library oauth impossible.
An alternative API would be to support invalidation of the token cache. But, in either case, a way to configure the max acceptable age of a token is necessary to avoid corner cases when expiration is near.
Yet another option would be to expose the capability to refresh the token on demand. If you consider the case above I'd still need to trigger token requests within the expiry delta to actually refresh. Could as well just invoke the exposed Refresh() capability.
Note: this issue actually looks a lot like https://github.com/golang/oauth2/commit/4abfd87339731bbbde108264890e9636453bf0f9.
/cc @codyoss @rolandshoemaker any chance to move this forward?
Going through the commits it seems we could already do this with https://github.com/golang/oauth2/commit/1e7f32936487c0d8052d63fd32d84f4c1121986e.