Skip to content

clockSkew Javadoc is not consistent with implementation #10174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
andywhite27 opened this issue Aug 13, 2021 · 4 comments · Fixed by #10358
Closed

clockSkew Javadoc is not consistent with implementation #10174

andywhite27 opened this issue Aug 13, 2021 · 4 comments · Fixed by #10358
Assignees
@eleftherias
Labels
in: docs An issue in Documentation or samples status: backported An issue that has been backported to maintenance branches status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Milestone
5.7.0-M1

Comments

@andywhite27
Copy link

andywhite27 commented Aug 13, 2021
edited
Loading

Spring Security 5.5.1

In each of the inner classes in the OAuth2AuthorizedClientProviderBuilder (such as the PasswordGrantBuilder) the comment on the use of the clockskew is
PasswordGrantBuilder.clockSkew()
"An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}."

However, the use of the clockskew in the PasswordOAuth2AuthorizedClientProvider and other OAuth2AuthorizedClientProvider implementations does not use the clock skew in this way and instead calculates if the token is expired using

PasswordOAuth2AuthorizedClientProvider.hasTokenExpired()

private boolean hasTokenExpired(OAuth2Token token) {
    return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
}

The calculation does not seem to be the correct use and should match the documentation and be

private boolean hasTokenExpired(OAuth2Token token) {
    return token.getExpiresAt().isBefore(this.clock.instant().minus(this.clockSkew));
}
@andywhite27 andywhite27 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Aug 13, 2021
@eleftherias eleftherias self-assigned this Aug 16, 2021
@eleftherias
Copy link
Contributor

Thanks for reaching out @andywhite27.
This was changed as part of gh-7511, take a look at that issue for more details.

@eleftherias eleftherias added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 19, 2021
@andywhite27
Copy link
Author

Hi @eleftherias ,

I understand the reply although I don't agree! However, that aside there is still an issue here with the documentation which is the first paragraph of my original note. The documentation on each of the classes in OAuth2AuthorizedClientProviderBuilder are incorrect. If the code is not going to be fixed then at least the documentation should be please.

"In each of the inner classes in the OAuth2AuthorizedClientProviderBuilder (such as the PasswordGrantBuilder) the comment on the use of the clockskew is
PasswordGrantBuilder.clockSkew()
"An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}."

@eleftherias
Copy link
Contributor

Thanks @andywhite27, I have reopened the issue. Are you interested in submitting a PR to update the documentation?

@eleftherias eleftherias reopened this Aug 20, 2021
@eleftherias eleftherias added in: docs An issue in Documentation or samples status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: duplicate A duplicate of another issue labels Aug 20, 2021
qavid added a commit to qavid/spring-security that referenced this issue Oct 9, 2021
@qavid
Update clockSkew javadoc according to implementation
2754c93 
Closes spring-projectsgh-10174
@qavid qavid mentioned this issue Oct 9, 2021
Merged
@qavid
Copy link
Contributor

qavid commented Oct 9, 2021

@eleftherias I have prepared PR #10358. Please take a look.

Also please note, that in implementations of hasTokenExpired (e.g. PasswordOAuth2AuthorizedClientProvider#hasTokenExpired) is possible NPE in situations when OAuth2Token#getExpiresAt() returns null.
Do you think we should open new issue?

eleftherias pushed a commit that referenced this issue Nov 19, 2021
@qavid @eleftherias
Update clockSkew javadoc according to implementation
862122a 
Closes gh-10174
@eleftherias eleftherias added this to the 6.0.0-M1 milestone Nov 19, 2021
@eleftherias eleftherias changed the title OAuth2AuthorizedClientProvider clockskew use inconsistent with OAuth2AuthorizedClientProviderBuilder Documentation clockSkew Javadoc is not consistent with implementation Nov 19, 2021
eleftherias pushed a commit that referenced this issue Nov 19, 2021
@qavid @eleftherias
Update clockSkew javadoc according to implementation
aa1ef46 
Closes gh-10174
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.6.x labels Nov 19, 2021
Closed
eleftherias pushed a commit that referenced this issue Nov 19, 2021
@qavid @eleftherias
Update clockSkew javadoc according to implementation
17e28fa 
Closes gh-10174
@eleftherias eleftherias modified the milestones: 6.0.0-M1, 5.7.0-M1 Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: docs An issue in Documentation or samples status: backported An issue that has been backported to maintenance branches status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Projects
None yet
Milestone
5.7.0-M1
Development

Successfully merging a pull request may close this issue.

Update clockSkew javadoc according to implementation qavid/spring-security
4 participants
@qavid @eleftherias @andywhite27 @spring-projects-issues