Use longer OAuth flow timeout for interactive frontend logins#4361
Open
reinkrul wants to merge 1 commit into
Open
Use longer OAuth flow timeout for interactive frontend logins#4361reinkrul wants to merge 1 commit into
reinkrul wants to merge 1 commit into
Conversation
The state-to-OAuthSession mapping for the authorization-code callback flows used a hard 1-minute TTL. That window has to cover the entire interactive round-trip (redirect to the external IdP, user login/MFA/ consent, redirect back to the callback), which is too tight for a human login and made the callback fail with "invalid or expired state". Add oauthFrontendFlowTimeout (5 min) and apply it via WithTTL on the two interactive auth-code flows (OpenID4VCI auth-code and OpenID4VP user login). Back-end (service-to-service) flows keep the 1-minute oAuthFlowTimeout. Both flows share the same store; the per-entry TTL distinguishes them, so the callback reader is unaffected. Assisted by AI
reinkrul
requested review from
Dirklectisch,
JorisHeadease,
gerardsn,
stevenvegt and
woutslakhorst
as code owners
Contributor
|
Coverage Impact ⬆️ Merging this pull request will increase total coverage on Modified Files with Diff Coverage (2)
🛟 Help
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4345.
Problem
The
state→OAuthSessionmapping for the OAuth authorization-code callback flows used a hard 1-minute TTL (oAuthFlowTimeout). That window has to cover the entire interactive round-trip: redirect to the external IdP, the user authenticating (password, MFA, consent), then the redirect back to the callback. For a human login that is too tight, so the callback failed withinvalid_request"invalid or expired state".Change
oauthFrontendFlowTimeout = 5 * time.Minutefor interactive auth-code flows.storage.WithTTL(...)on the two interactive Puts:openid4vci.go)user.go)oAuthFlowTimeout.Both flow types share the same
oauthClientStateStore. The store-level TTL is only a default; the actual expiry is set per entry atPuttime, so the per-entryWithTTLcleanly distinguishes interactive from back-end entries and the callback reader (api.go) is unaffected — no need to split into two stores.Notes
state, butstateis a single-use unguessable nonce consumed on first callback; 5 min is standard for auth-code flows.Assisted by AI