fix: handle missing expires_in in OAuth token response#3992
Open
ecthelion77 wants to merge 1 commit intoIBM:mainfrom
Open
fix: handle missing expires_in in OAuth token response#3992ecthelion77 wants to merge 1 commit intoIBM:mainfrom
ecthelion77 wants to merge 1 commit intoIBM:mainfrom
Conversation
jonpspri
added
bug
ecthelion77
force-pushed
the
fix/oauth-no-expiry-fallback-upstream
branch
from
e4c8753 to
7f4b8f3
Compare
Contributor
Author
|
Suggested labels: |
ecthelion77
force-pushed
the
fix/oauth-no-expiry-fallback-upstream
branch
from
7f4b8f3 to
a8afade
Compare
ecthelion77
force-pushed
the
fix/oauth-no-expiry-fallback-upstream
branch
2 times, most recently
from
4251229 to
7cecdb3
Compare
Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>
ecthelion77
force-pushed
the
fix/oauth-no-expiry-fallback-upstream
branch
from
7cecdb3 to
ce0704b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🐛 Bug-fix PR
📌 Summary
When an OAuth2 provider omits the
expires_infield from the token response, the gateway crashes with aTypeErrorduring token storage. Theexpires_inparameter is RECOMMENDED but not REQUIRED per RFC 6749 Section 5.1, so providers may legitimately omit it (e.g., GitHub OAuth Apps, some Azure AD configurations).Fixes #3989
🔁 Reproduction Steps
expires_inin the token responseTypeError: unsupported operand type(s) for +: 'datetime' and 'NoneType'🐞 Root Cause
In
oauth_manager.py,token_response.get("expires_in", self.settings.oauth_default_timeout)always returns a value, which hides the issue. However, when the provider returnsexpires_in: nullor omits it entirely and the fallback default is alsoNone, the code intoken_storage_service.pytries to computedatetime.now() + timedelta(seconds=int(None))which raisesTypeError.More importantly, the current code papers over the absence of
expires_inby substitutingoauth_default_timeout, which may not reflect the actual token lifetime — the token could be valid indefinitely.💡 Fix Description
oauth_manager.py: Extractexpires_inwith.get()and explicitly convert tointonly when present. PassNonewhen the provider does not specify expiration.token_storage_service.py:expires_inparameter type frominttoOptional[int]expires_in is None, setexpires_at = Noneand log an informational messageexpires_inis provided, computeexpires_atas beforeThe existing
_is_token_expired()method already handlesexpires_at=Nonecorrectly (returnsFalse, treating the token as non-expired).🧪 Verification
make lintmake testmake coverage📐 MCP Compliance (if relevant)
✅ Checklist