Add expiration for refresh token

Author: varuna-sd

oidc_provider/lib/endpoints/token.py

@@ -122,11 +122,15 @@ def validate_params(self):
             try:
                 self.token = Token.objects.get(refresh_token=self.params['refresh_token'],
                                                client=self.client)
-
             except Token.DoesNotExist:
                 logger.debug(
                     '[Token] Refresh token does not exist: %s', self.params['refresh_token'])
                 raise TokenError('invalid_grant')
+
+            if self.token.has_expired_refresh_token():
+                logger.debug(
+                    '[Token] Refresh token expired: %s', self.params['refresh_token'])
+                raise TokenError('invalid_token')
         elif self.params['grant_type'] == 'client_credentials':
             if not self.client._scope:
                 logger.debug('[Token] Client using client credentials with empty scope')

oidc_provider/models.py

@@ -3,12 +3,13 @@
 import binascii
 from hashlib import md5, sha256
 import json
+import datetime
 
 from django.db import models
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
-
+from . import settings as oidc_settings
 
 CLIENT_TYPE_CHOICES = [
     ('confidential', 'Confidential'),
@@ -217,6 +218,24 @@ class Meta:
     def id_token(self):
         return json.loads(self._id_token) if self._id_token else None
 
+    def has_expired_refresh_token(self):
+        if not oidc_settings.get('OIDC_REFRESH_TOKEN_EXPIRE'):
+            return False
+
+        if oidc_settings.get('OIDC_REFRESH_TOKEN_EXPIRE') < oidc_settings.get('OIDC_TOKEN_EXPIRE'):
+            raise ValueError('Invalid setting for OIDC_REFRESH_TOKEN_EXPIRE')
+
+        # Note: Increasing expiration time settings could make previously
+        # expired refresh tokens usable. Therefore, clear all the
+        # refresh tokens when increasing refresh token expire time.
+        offset = (
+                oidc_settings.get('OIDC_REFRESH_TOKEN_EXPIRE')
+                - oidc_settings.get('OIDC_TOKEN_EXPIRE')
+        )
+        expires_at = self.expires_at + datetime.timedelta(seconds=offset)
+
+        return timezone.now() >= expires_at
+
     @id_token.setter
     def id_token(self, value):
         self._id_token = json.dumps(value)

oidc_provider/settings.py

@@ -113,6 +113,19 @@ def OIDC_TOKEN_EXPIRE(self):
         """
         return 60*60
 
+    @property
+    def OIDC_REFRESH_TOKEN_EXPIRE(self):
+        """
+        OPTIONAL. Refresh token expiration time expressed in seconds.
+
+        Zero: Refresh token doesn't expire.
+        Note: Increasing expiration time settings could make previously
+        expired refresh tokens usable. Hence, increase expiry time with care.
+        Ex: delete existing refresh tokens before increasing
+        refresh token expire time.
+        """
+        return 0
+
     @property
     def OIDC_USERINFO(self):
         """

oidc_provider/tests/cases/test_token_endpoint.py

@@ -3,6 +3,9 @@
 import uuid
 
 from base64 import b64encode
+from datetime import timedelta
+
+from django.utils import timezone
 
 try:
     from urllib.parse import urlencode
@@ -429,6 +432,53 @@ def do_refresh_token_check(self, scope=None):
         response = self._post_request(post_data)
         self.assertIn('invalid_grant', response.content.decode('utf-8'))
 
+        # Refresh token doesn't expires with default settings
+        post_data = self._refresh_token_post_data(response_dic2['refresh_token'], scope)
+        expiry_time = timezone.now() + timedelta(
+            seconds=24*60*60,
+        )
+        with patch('oidc_provider.models.timezone.now') as time_func:
+            time_func.return_value = expiry_time
+            response = self._post_request(post_data)
+            self.assertIn('refresh_token', response.content.decode('utf-8'))
+
+    @override_settings(OIDC_IDTOKEN_INCLUDE_CLAIMS=True)
+    @override_settings(OIDC_REFRESH_TOKEN_EXPIRE=24 * 60 * 60)
+    def test_refresh_token_expiry(self):
+        """
+        Refresh token expiry
+        Make sure that refresh token expires properly.
+        """
+        response = self._refresh_request(elapsed_time=24 * 60 * 60)
+        self.assertIn('invalid_token', response.content.decode('utf-8'))
+
+    @override_settings(OIDC_IDTOKEN_INCLUDE_CLAIMS=True)
+    @override_settings(OIDC_REFRESH_TOKEN_EXPIRE=24 * 60 * 60)
+    def test_refresh_token_not_expired(self, scope=None):
+        """
+        Refresh token expiry
+        Make sure that refresh token is not expired.
+        """
+        response = self._refresh_request(elapsed_time=(24 * 60 * 60) - 1)
+        self.assertIn('id_token', response.content.decode('utf-8'))
+
+    def _refresh_request(self, elapsed_time):
+        code = self._create_code()
+        self.assertEqual(code.scope, ['openid', 'email'])
+        post_data = self._auth_code_post_data(code=code.code)
+        response = self._post_request(post_data)
+        response_dic1 = json.loads(response.content.decode('utf-8'))
+        # Use refresh token to obtain new token
+        post_data = self._refresh_token_post_data(
+            response_dic1['refresh_token'], code.scope
+        )
+        current_time = timezone.now() + timedelta(seconds=elapsed_time)
+        with patch('oidc_provider.models.timezone.now') as time_func:
+            time_func.return_value = current_time
+            response = self._post_request(post_data)
+
+        return response
+
     def test_client_redirect_uri(self):
         """
         Validate that client redirect URIs exactly match registered