Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling Notifications for Expired Access Tokens in Sink Credentials #357

Open
dfischer-tech opened this issue Dec 10, 2024 · 5 comments
Open

Handling Notifications for Expired Access Tokens in Sink Credentials #357

dfischer-tech opened this issue Dec 10, 2024 · 5 comments
Labels
correction correction in documentation

Comments

@dfischer-tech
Copy link
Contributor

Problem description
...subscriptions.v0.subscription-ends notification should be sent, if

  • the Access Token sinkCredential (optionally set by the requester) expiration time has been reached

If the requester optionally provides sinkCredentials (e.g., an access token), and the expiration time of the token is reached, it does not make sense to notify the secured client, as the token is already expired. How should we handle this scenario?

Alternative solution
A notification could be sent 30 seconds before the token expires. Would this approach work?

Additional context
This affects all new subscription APIs: like QoD, SimSwap, DeviceLocation and DeviceStatus
@dfischer-tech dfischer-tech added the correction correction in documentation label Dec 10, 2024
@rartych
Copy link
Collaborator

rartych commented Dec 10, 2024

@bigludo7 It looks this should be clarified in API Design Guidelines section 12.2

@bigludo7
Copy link
Collaborator

We can add a note indicating that sending the notification once the token expired is useless but providing a hint/recommendation for the API provider to send this notification proactively before the expiration.
I can do it after #356 merge to not mix topic?

@dfischer-tech dfischer-tech mentioned this issue Dec 11, 2024
Open
@jlurien
Copy link
Contributor

jlurien commented Dec 12, 2024

In the case of explicit subscriptions, it makes sense to send such an event prior to the access token expiration, so it should be a clear guideline (implementation SHOULD send...). That would terminate the subscription.

More problematic is the situation with implicit subscriptions, as in QoD, where the events are used to notify changes during the life cycle of a session, which should not end due to the access token expiration. In such situations, the access token should be valid during the duration of the session in order to be useful or otherwise the client would stop receiving notifications.

@bigludo7
Copy link
Collaborator

For the second case (implicit subscription) as the developer will probably use the yaml we should probably document this in the yaml as a 'hint' and using specific vocabulary from the API (speaking session in Qod, Paymemt in Carrier billing), etc... WDYT?

@jlurien
Copy link
Contributor

jlurien commented Dec 13, 2024

For the second case (implicit subscription) as the developer will probably use the yaml we should probably document this in the yaml as a 'hint' and using specific vocabulary from the API (speaking session in Qod, Paymemt in Carrier billing), etc... WDYT?

I agree, indeed, that is what I proposed in the issue opened in QoD: camaraproject/QualityOnDemand#385 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
correction correction in documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jlurien @bigludo7 @dfischer-tech @rartych