Skip to content

Support injecting clock into token generation code #1950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
symposion opened this issue Mar 26, 2025 · 2 comments
Open

Support injecting clock into token generation code #1950

symposion opened this issue Mar 26, 2025 · 2 comments
Labels
type: enhancement A general enhancement

Comments

@symposion
Copy link

symposion commented Mar 26, 2025
edited by jgrandja
Loading

JwtGenerator currently does this to get the token issued time:

Instant issuedAt = Instant.now();

Compare this against how the JwtTimestampValidator in the Spring resource-server implementation is coded:

 Instant expiry = jwt.getExpiresAt();
if (expiry != null && Instant.now(this.clock).minus(this.clockSkew).isAfter(expiry)) {
    OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
    return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
}

Notice that you can override the clock in the validator to change the definition of "now" It would be very useful if the same thing could be done on the generation side as well.

Context

We have an extensive testing framework which makes use of comparison against known-good outputs. But obviously if these outputs include any kind of time derived from the current time of execution, the test output becomes variable. Rather than having to clutter up our test code with manual timestamp assertions for all of these, we require all of our services to obtain the current time from a special service that supports "fixing" time and then manually adjusting during the course of a test. This allows for stable test output even when timestamps are involved.

It would be a trivial change to support overriding the clock in the JwtGenerator instead of acquiring the "now" value directly from Instant.now() I'm happy to submit a PR.

In the short term we can work around this with a JwtCustomizer, but it's ugly because it means we have to replicate the logic embedded in the generator that sets the various derived times in the token claims

Related gh-1631
@symposion symposion added the type: enhancement A general enhancement label Mar 26, 2025
@jgrandja
Copy link
Collaborator

@symposion Thanks for logging this issue.

It would be a trivial change to support overriding the clock in the JwtGenerator instead of acquiring the "now" value directly from Instant.now()

It wouldn't be a trivial change as we need to account for all the following OAuth2TokenGenerator's:

  • JwtGenerator
  • OAuth2AccessTokenGenerator
  • OAuth2RefreshTokenGenerator
  • OAuth2AuthorizationCodeGenerator
  • OAuth2UserCodeGenerator
  • OAuth2DeviceCodeGenerator

I'm glad you have a path moving forward with a JwtCustomizer. Let's see if other users need this capability.

@DevDengChao
Copy link
Contributor

I’ll vote up for this.

I wrote a lot of tests regarding the concept of now and today. However, when the test cases ran past 23:59:59, they failed. To address this, I had to inject a TimestampSupplier into the logic, allowing me to control the exact now during the test execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@symposion @jgrandja @DevDengChao