Allow 10 minutes of grace period before the token expire

test move err to standalone handle Expired token as standalone func move error as separate
kyma-project · Oct 24, 2024 · c768a0d · c768a0d
1 parent 0ba5f3b
commit c768a0d
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
@@ -7,6 +7,7 @@ package oidc
 import (
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-jose/go-jose/v4"
@@ -382,9 +383,14 @@ func (tokenProcessor *TokenProcessor) Issuer() string {
 func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context, verifier TokenVerifierInterface, claims ClaimsInterface) error {
 	logger := tokenProcessor.logger
 	token, err := verifier.Verify(ctx, tokenProcessor.rawToken)
+	var tokenExpiryError *oidc.TokenExpiredError
+	if errors.As(err, &tokenExpiryError) {
+		token, err = tokenProcessor.handleExpiredToken(ctx, tokenExpiryError, logger, err)
+	}
 	if err != nil {
 		return fmt.Errorf("failed to verify token: %w", err)
 	}
+
 	logger.Debugw("Getting claims from token")
 	err = token.Claims(claims)
 	if err != nil {
@@ -397,3 +403,30 @@ func (tokenProcessor *TokenProcessor) VerifyAndExtractClaims(ctx context.Context
 	}
 	return nil
 }
+
+func (tokenProcessor *TokenProcessor) handleExpiredToken(ctx context.Context, tokenExpiryError *oidc.TokenExpiredError, logger LoggerInterface, err error) (Token, error) {
+	expiryTime := tokenExpiryError.Expiry
+	now := time.Now()
+	elapsed := now.Sub(expiryTime)
+	gracePeriod := 10 * time.Minute
+	if elapsed <= gracePeriod {
+		newVerifierConfig := tokenProcessor.verifierConfig
+		newVerifierConfig.SkipExpiryCheck = true
+
+		provider, err := NewProviderFromDiscovery(ctx, logger, tokenProcessor.issuer.IssuerURL)
+		if err != nil {
+			return Token{}, fmt.Errorf("failed to create provider: %w", err)
+		}
+
+		newVerifier := provider.NewVerifier(logger, newVerifierConfig)
+		token, err := newVerifier.Verify(ctx, tokenProcessor.rawToken)
+
+		if err != nil {
+			return Token{}, fmt.Errorf("failed to verify token after skipping expiry check: %w", err)
+		}
+
+		return token, nil
+	} else {
+		return Token{}, fmt.Errorf("token expired more than %v ago: %w", gracePeriod, err)
+	}
+}