ory/hydra-maester

Add new TokenTTL configs from Hydra

Closed this issue · 0 comments

sja commented

Preflight checklist

Context and scope

With ory/hydra#3206, Ory introduced the config for token lifetimes by client, TokenType, etc.
The implementation in the latest Hydra releases do not make use of the fosite master branch implementation but has it's own variant, where the config params like AuthorizationCodeGrantAccessTokenLifespan is a direct attribute of Client instead of TokenLifespans like it is in fosite.

I want to add these new configs to hydra-maester.

Goals and non-goals

  • hydra-maester is able to set the new lifetime configs in hydra

The design

I suggest to add TokenLifespans as a new optional attribute to the OAuth2ClientSpec, which then gets API version v1alpha2.
The controller is extended determine between these two versions,

  1. Old Hydra + old Maester: Current state, no problem.
  2. Old Hydra + new Maester: OAuth2ClientSpec at v1alpha2 are applies, Hydra ignores the new fields, sync successful for v1alpha1, unsuccessful for v1alpha2 definitions.
  3. New Hydra + old Maester: The response of Hydra contains the new fields, which should be ignored by Maester, sync should be successful.
  4. New Hydra + new Maester: Happy path.

APIs

No response

Data storage

No response

Code and pseudo-code

No response

Degree of constraint

No response

Alternatives considered

Alternatively, the new OAuth2ClientSpec could be amend by the new TTL configs as a flat attribute list. Like:

Metadata apiextensionsv1.JSON `json:"metadata,omitempty"`
// New:
AuthorizationCodeGrantAccessTokenLifespan x.NullDuration `json:"authorization_code_grant_refresh_token_lifespan,omitempty"
AuthorizationCodeGrantIDTokenLifespan x.NullDuration `json:"client_credentials_grant_access_token_lifespan,omitempty"
AuthorizationCodeGrantRefreshTokenLifespan x.NullDuration `json:"implicit_grant_access_token_lifespan,omitempty"

But that may be a bit ugly.