feat: Include issued_at and expires_at in token response, respect server timestamps on client#892
Open
liudonggalaxy wants to merge 1 commit into
Conversation
c030605 to
c6d19d0
Compare
c6d19d0 to
61bbaba
Compare
61bbaba to
b51ee45
Compare
9234dc8 to
65cc5c6
Compare
Add issued_at and expires_at to the bearer token response. Both values derive from a single time.time() call and a single expires_in resolution in generate(), before access_token_generator() is called. This guarantees that the response fields and the JWT iat/exp claims are always identical. On the client side, OAuth2Token prefers the server-provided issued_at when computing expires_at, avoiding clock-skew between client and server. Invalid issued_at values (zero, negative, non-numeric) fall back to the client clock gracefully. Also hardens the default save_token helpers in the SQLAlchemy and Django integrations to filter the token dict to known model columns before persisting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
65cc5c6 to
fa97da4
Compare
liudonggalaxy
commented
May 15, 2026
| uv.lock | ||
| .env | ||
| coverage.xml | ||
| authlib.iml |
Contributor
Author
There was a problem hiding this comment.
Ignore IntelliJ IDE project file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
This is a feature implementation
Add
issued_atandexpires_atto the bearer token response body, and teach the client-sideOAuth2Tokento prefer the server-providedissued_atover the local clock when computing expiration.Server side (
BearerTokenGenerator.generate())time.time()call and resolvesexpires_inbefore callingaccess_token_generator(), storing both asself._issued_atandself._expires_inissued_atandexpires_atare included in the response wheneverexpires_inis presentJWTBearerTokenGenerator.access_token_generator()readsself._issued_atandself._expires_indirectly, guaranteeingiat == issued_atandexp == expires_at— no duplicatetime.time()or_get_expires_in()callsClient side (
OAuth2Token)issued_at, the client computesexpires_atfrom it instead of from the local clock, avoiding clock-skew issuesissued_atvalues (zero, negative, non-numeric) fall back to the client clock gracefullytime.time()whenissued_atis absent (backward compatible)Persistence (
save_tokenhelpers)save_tokenhelpers in both the SQLAlchemy and Django integrations now filter the token dict to known model columns before persisting, so new response-only fields do not break existing schemasChecklist
prek.pragma: no cover