Skip to content

Add expireAt to OAuth2AuthorizationRequest and clean-up expired requests on save #7381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add expireAt to OAuth2AuthorizationRequest and clean-up expired requests on save #7381

wants to merge 1 commit into from

Conversation

AndreasKl
Copy link
Contributor

Fixes gh-5145.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 5, 2019
@AndreasKl AndreasKl mentioned this pull request Sep 5, 2019
Closed
@jgrandja jgrandja self-assigned this Sep 30, 2019
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 30, 2019
jgrandja
jgrandja requested changes Sep 30, 2019
View reviewed changes
Copy link
Contributor

@jgrandja jgrandja left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @AndreasKl.

There is quite a bit of coupling in the OAuth2AuthorizationRequestResolver and AuthorizationRequestRepository and it's implementations (and Reactive). I feel we should rework things to remove this coupling and potentially allow for reuse in other areas within the OAuth support, eg. expiring PK from a JWK Cache.

The expiring capability is really a cross-cutting concern. Can you try the following solution?

  • Intercept calls to loadAuthorizationRequest() and store the information necessary
  • At a scheduled time (configurable with skew), the component will attempt to loadAuthorizationRequest() and if it returns than determine if time has expired and than removeAuthorizationRequest

Please take a look at the Cache abstraction to see if it would meet our needs.

.../main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java
@@ -55,6 +57,7 @@
private Map<String, Object> additionalParameters;
private String authorizationRequestUri;
private Map<String, Object> attributes;
private Instant expiresAt;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An Authorization Request does not have an expiresAt attribute/parameter as per spec. This really is an implementation detail and should be externalized to the expiring component.

@AndreasKl
Copy link
Contributor Author

AndreasKl commented Oct 1, 2019
edited
Loading

Thanks for the PR @AndreasKl.

There is quite a bit of coupling in the OAuth2AuthorizationRequestResolver and AuthorizationRequestRepository and it's implementations (and Reactive). I feel we should rework things to remove this coupling and potentially allow for reuse in other areas within the OAuth support, eg. expiring PK from a JWK Cache.

The expiring capability is really a cross-cutting concern. Can you try the following solution?

* Intercept calls to `loadAuthorizationRequest()` and store the information necessary

* At a scheduled time (configurable with skew), the component will attempt to `loadAuthorizationRequest()` and if it returns than determine if time has expired and than `removeAuthorizationRequest`

Please take a look at the Cache abstraction to see if it would meet our needs.

If you have time could you have a look at: #5145 (comment) . I'm now even more convinced that a size based solution could be a better match; we see a few OAuth2AuthorizationRequest that exists for over 10 minutes on our production system.

Off the top of my head, I think the cache abstraction would impose a quite large runtime requirement to the user of spring security. The user than has to deploy a distributed cache for be able to prevent what is effectively a way to cause an OOM in an application.

I definitely see the need for reducing the duplication and fully understand that OAuth2AuthorizationRequest should not contain a createdAt or a expiresAt, I'll look into other options to store the data and generalize the clean up.

@jgrandja
Copy link
Contributor

jgrandja commented Oct 1, 2019
edited
Loading

I think the cache abstraction would impose a quite large runtime requirement to the user of spring security

I'm not convinced it's the right solution to use either but we should at least rule it out and give reasons for it. I'd prefer a very light solution.

I'm now even more convinced that a size based solution could be a better match

I still think we should account for time-based as well. For low-load client applications, an OAuth2AuthorizationRequest could hang out for a long time. Size-based takes care of high-load client applications. I feel we should account for both.

@AndreasKl AndreasKl closed this Aug 3, 2020
@jgrandja jgrandja removed the type: enhancement A general enhancement label Aug 4, 2020
@candrews candrews mentioned this pull request Mar 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja jgrandja requested changes

Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OAuth2AuthorizationRequest should expire
3 participants
@AndreasKl @jgrandja @spring-projects-issues