node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon oauthjs

Not OAuth2 compliant

Open KimEbert42 opened this issue 3 years ago • 3 comments

I followed an example of using node-oauth2-server, and it seems the example is non-compliant with OAuth2 standards.

https://github.com/pedroetb/node-oauth2-server-example/issues/10

When I return the json of the token, I get accessTokenExpiresAt instead of the expected expires_in

KimEbert42 avatar Apr 10 '21 16:04 KimEbert42

From https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/

* expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.

So it's recommended to be this but not a hard requirement, so this doesn't make it non compliant.

Secondly, though might not be the best thing you'd want, when you get the token just modify wherever you return it from, you don't have to return token itself, you can do whatever you please with it.

const expires_in = token.accessTokenExpiresAt;
delete token.accessTokenExpiresAt;
return {...token, expires_in}

HappyZombies avatar May 11 '21 02:05 HappyZombies

I suppose it isn't non compliant when it comes to handling the access token itself. I would suggest that the expiration time be shared in a compliant way. It was confusing to have the time values included, but then not have them be recognized in the client.

KimEbert42 avatar May 24 '21 17:05 KimEbert42

Actually... expiresAt is the time when it is expiring. So you need actually to subtract the current time from the expiresAt to get expires_in.

Uzlopak avatar Nov 21 '21 02:11 Uzlopak