server: add expires_in field to the response of token endpoint

server/cross_client_test.go

@@ -283,7 +283,7 @@ func TestServerCodeTokenCrossClient(t *testing.T) {
 			t.Fatalf("case %d: unexpected error: %v", i, err)
 		}
 
-		jwt, token, err := f.srv.CodeToken(f.clientCreds[tt.clientID], key)
+		jwt, token, expiresIn, err := f.srv.CodeToken(f.clientCreds[tt.clientID], key)
 		if err != nil {
 			t.Fatalf("case %d: unexpected error: %v", i, err)
 		}
@@ -293,6 +293,9 @@ func TestServerCodeTokenCrossClient(t *testing.T) {
 		if token != tt.refreshToken {
 			t.Errorf("case %d: expect refresh token %q, got %q", i, tt.refreshToken, token)
 		}
+		if expiresIn == 0 {
+			t.Errorf("case %d: expect non-zero expiration time", i)
+		}
 
 		claims, err := jwt.Claims()
 		if err != nil {

server/http.go

@@ -491,6 +491,7 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
 
 		var jwt *jose.JWT
 		var refreshToken string
+		var expiresIn int64
 		grantType := r.PostForm.Get("grant_type")
 
 		switch grantType {
@@ -501,14 +502,14 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
 				writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), state)
 				return
 			}
-			jwt, refreshToken, err = srv.CodeToken(creds, code)
+			jwt, refreshToken, expiresIn, err = srv.CodeToken(creds, code)
 			if err != nil {
 				log.Errorf("couldn't exchange code for token: %v", err)
 				writeTokenError(w, err, state)
 				return
 			}
 		case oauth2.GrantTypeClientCreds:
-			jwt, err = srv.ClientCredsToken(creds)
+			jwt, expiresIn, err = srv.ClientCredsToken(creds)
 			if err != nil {
 				log.Errorf("couldn't creds for token: %v", err)
 				writeTokenError(w, err, state)
@@ -521,7 +522,7 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
 				writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), state)
 				return
 			}
-			jwt, refreshToken, err = srv.RefreshToken(creds, strings.Split(scopes, " "), token)
+			jwt, refreshToken, expiresIn, err = srv.RefreshToken(creds, strings.Split(scopes, " "), token)
 			if err != nil {
 				writeTokenError(w, err, state)
 				return
@@ -537,6 +538,7 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
 			IDToken:      jwt.Encode(),
 			TokenType:    "bearer",
 			RefreshToken: refreshToken,
+			ExpiresIn:    expiresIn,
 		}
 
 		b, err := json.Marshal(t)
@@ -594,6 +596,7 @@ type oAuth2Token struct {
 	IDToken      string `json:"id_token"`
 	TokenType    string `json:"token_type"`
 	RefreshToken string `json:"refresh_token,omitempty"`
+	ExpiresIn    int64  `json:"expires_in"`
 }
 
 func createLastSeenCookie() *http.Cookie {

server/server_test.go

@@ -443,7 +443,7 @@ func TestServerCodeToken(t *testing.T) {
 			t.Fatalf("case %d: unexpected error: %v", i, err)
 		}
 
-		jwt, token, err := f.srv.CodeToken(oidc.ClientCredentials{
+		jwt, token, expiresIn, err := f.srv.CodeToken(oidc.ClientCredentials{
 			ID:     testClientID,
 			Secret: clientTestSecret}, key)
 		if err != nil {
@@ -455,6 +455,9 @@ func TestServerCodeToken(t *testing.T) {
 		if token != tt.refreshToken {
 			t.Fatalf("case %d: expect refresh token %q, got %q", i, tt.refreshToken, token)
 		}
+		if expiresIn == 0 {
+			t.Fatalf("case %d: expect non-zero expiration time", i)
+		}
 	}
 }
 
@@ -475,7 +478,7 @@ func TestServerTokenUnrecognizedKey(t *testing.T) {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 
-	jwt, token, err := f.srv.CodeToken(testClientCredentials, "foo")
+	jwt, token, expiresIn, err := f.srv.CodeToken(testClientCredentials, "foo")
 	if err == nil {
 		t.Fatalf("Expected non-nil error")
 	}
@@ -485,6 +488,9 @@ func TestServerTokenUnrecognizedKey(t *testing.T) {
 	if token != "" {
 		t.Fatalf("Expected empty refresh token")
 	}
+	if expiresIn != 0 {
+		t.Fatalf("Expected zero expiration time")
+	}
 }
 
 func TestServerTokenFail(t *testing.T) {
@@ -580,7 +586,7 @@ func TestServerTokenFail(t *testing.T) {
 			t.Fatalf("Unexpected error: %v", err)
 		}
 
-		jwt, token, err := f.srv.CodeToken(tt.argCC, tt.argKey)
+		jwt, token, expiresIn, err := f.srv.CodeToken(tt.argCC, tt.argKey)
 		if token != tt.refreshToken {
 			fmt.Printf("case %d: expect refresh token %q, got %q\n", i, tt.refreshToken, token)
 			t.Fatalf("case %d: expect refresh token %q, got %q", i, tt.refreshToken, token)
@@ -595,6 +601,9 @@ func TestServerTokenFail(t *testing.T) {
 		if err != nil && jwt != nil {
 			t.Errorf("case %d: got non-nil JWT %v", i, jwt)
 		}
+		if err == nil && expiresIn == 0 {
+			t.Errorf("case %d: got zero expiration time %v", i, expiresIn)
+		}
 	}
 }
 
@@ -835,7 +844,7 @@ func TestServerRefreshToken(t *testing.T) {
 			t.Fatalf("Unexpected error: %v", err)
 		}
 
-		jwt, refreshToken, err := f.srv.RefreshToken(tt.creds, tt.refreshScopes, tt.token)
+		jwt, refreshToken, expiresIn, err := f.srv.RefreshToken(tt.creds, tt.refreshScopes, tt.token)
 		if !reflect.DeepEqual(err, tt.err) {
 			t.Errorf("Case %d: expect: %v, got: %v", i, tt.err, err)
 		}
@@ -875,5 +884,9 @@ func TestServerRefreshToken(t *testing.T) {
 		if diff := pretty.Compare(refreshToken, tt.expectedRefreshToken); diff != "" {
 			t.Errorf("Case %d: want=%v, got=%v", i, tt.expectedRefreshToken, refreshToken)
 		}
+
+		if err == nil && expiresIn == 0 {
+			t.Errorf("case %d: got zero expiration time %v", i, expiresIn)
+		}
 	}
 }