Client credentials returns incorrect expires_in time

[mdeggies]

Making a request to my local express server's /oauth/token endpoint always returns an access token TTL of 3600, regardless of my Application's access token TTL settings.

This

curl -X POST --user $ACCOUNT_ID:$ACCOUNT_SECRET http://localhost:3000/oauth/token -d grant_type=client_credentials

returns

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI2WFU5UzhLU0hHR1lTVVlZNVRaNTNVWkJIIiwiaXNzIjoiaHR0cHM6Ly9hcGkuc3Rvcm1wYXRoLmNvbS92.....","token_type":"bearer","expires_in":3600,"scope":""}

Making the same request to the https://api.stormpath.com/v1/applications/$APP_ID/oauth/token?grant_type=client_credentials&client_id=$USER_ID&client_secret=$USER_SECRET results in the correct expires_in time.

[robertjd]

This library isn't (yet) using our REST API to create tokens for the client_credentials workflow. The underlying Node SDK will have this implemented in the next release (it's in master now), at which point we will need to refactor this library to use the Node SDK for this work flow.

The area to change is here:

https://github.com/stormpath/express-stormpath/blob/master/lib/controllers/get-token.js#L112

We can probably remove that block, and just have the client_credentials case be handled by the OAuthAuthenticator in the previous block.

[robertjd]

@typerandom this can be worked on, just link to master of the Node SDK. The upcoming release 0.19.0 will have the needed changes, as well as the new scope factory which is currently being reviewed here:

https://github.com/stormpath/stormpath-sdk-node/pull/558

For convenience we should provide a way for the developer to pass a scope factory when initializing express-stormpath, so that express developers can also make use of this new scope factory feature.

[nbryan]

Any updates on this? I've leveled-up to stormpath 0.19.0 and express-stormpath 3.1.8 and it doesn't seem to be resolved yet.