client_secret_expires_at accepted value

By: Sakit Atakishiyev user 01 May 2017 at 2:19 a.m. CDT

8 Responses
Sakit Atakishiyev gravatar
When set `client_secret_expires_at` on request which value we should set unix epoch timestamp or timestamp in milliseconds?
U1404
closed

Answers

By Mohib Zico Account Admin 01 May 2017 at 4:37 a.m. CDT

Copy
Mohib Zico gravatar
Here is an example... If you set client secret expires: ( 8th May, 1987; 12:10 am ).. then `oxAuthClientSecretExpiresAt: 1987 08 05 00 10 00.000Z`

By Sakit Atakishiyev user 02 May 2017 at 5:20 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Thanks. I also checked we should pass this value in milliseconds. Otherwise during registration last 3 digit truncate on the gluu side. For example: if you pass in request `1493720379`, response return with `1493720`. But if you pass `1493720379000`, response return `1493720379`

By Eckhard Lehmann user 16 May 2019 at 3:27 a.m. CDT

Copy
Eckhard Lehmann gravatar
I have the same problem. As per OpenID Connect specification for client registration (https://openid.net/specs/openid-connect-registration-1_0.html), the *client_secret_expires_at* parameter is a number, representing the number of seconds since 1970-01-01T0:0:0Z UTC. When I set such a number in the dynamic client registration request, the last 3 digits are truncated, which results in client registration expires at some time around 1970. Working with Gluu 3.1.4. It seems to be a bug. Is it known as a bug or even fixed in newer versions?

By Mohib Zico Account Admin 16 May 2019 at 3:52 a.m. CDT

Copy
Mohib Zico gravatar
Eckhard, I'll check newer versions stats as soon as I can get some time

By Eckhard Lehmann user 20 May 2019 at 2:22 a.m. CDT

Copy
Eckhard Lehmann gravatar
Hi Mohib, thanks :). While you are at it, could you also please check if the "scope" parameter can be set during dynamic client registration in newer versions? For me this doesn't work (with Gluu 3.1.4). I tried several input formats: "scope":"openid profile", "scope":["openid","profile"], "scope":"openid,profile", but neither works. The scope is either set to the default values or to an empty list. This looks like a bug as well, I think it should be possible to set the desired scopes in dynamic registrations, as long as they are present in the instance.

By Mohib Zico Account Admin 22 May 2019 at 3:57 p.m. CDT

Copy
Mohib Zico gravatar
Hi, I just tried dynamic client registration in 3.1.6. It looks okay to me: Here is what it looks like: ``` dn: inum=@!409A.279C.70E8.7073!0001!91C8.B2C0!0008!02C3.FEDD.BDA6.DA08,ou=clients,o=@!409A.279C.70E8.7073!0001!91C8.B2C0,o=gluu oxAuthClientSecretExpiresAt: 20190523104923.372Z ```

By Eckhard Lehmann user 03 Jun 2019 at 3:04 a.m. CDT

Copy
Eckhard Lehmann gravatar
Hello Mohib, Thanks for letting me know. I had the chance now to try out 3.1.6 in a separate installation. For what I've seen, the default expiry date is now something far in the future (2110 or the like), but its not changeable from the outside at all. If I set the "client_secret_expires_at" parameter, it has no effect. I tried with the systemd-spawn container installation (the default community setup). Also the "scope" parameter behaves the same as with 3.1.4, I cannot set it to any valid combination of scopes, except the single value "openid". All other combinations of scopes, like "scope":"openid profile" are not accepted and lead to an empty scopes list in the newly created client. Where is the better place to file these as bugs, here in the forum or on github?

By Mohib Zico Account Admin 03 Jun 2019 at 5:09 a.m. CDT

Copy
Mohib Zico gravatar
Hi, >> Where is the better place to file these as bugs, here in the forum or on github? For oxAuth bug report: https://github.com/GluuFederation/oxAuth/issues Thanks!

Post an answer