Insomnia: [Improvement] Show remaining time for the refresh token expiration

Created on 5 Apr 2018  路  10Comments  路  Source: Kong/insomnia
  • Insomnia Version: 5.15.0
  • Operating System: Arch Linux

Details

Hi there!

In the OAuth2 tab, Insomnia calculates the remaining time for the access token, but does not for the refresh token, as you can see here:

image

Would be possible to calculate and show the remaining time for the refresh token as well? If the refresh token has exp claim, show remaining time, else, don't.

Also, looks like the expired label is wrong:

image

Shouldn't it be "Expired a few seconds ago"?

Best regards,
Rafael Pacheco.

accepted good first issue help wanted
Source
picture rafaelrenanpacheco

All 10 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 4 Jun 2018

This should remain open.

gschier picture gschier on 11 Jun 2018
1

Hi Greg,
I would like to work on implementing the mentioned improvement.

KarthikSiddarth picture KarthikSiddarth on 24 Sep 2018

I'm not actually sure if there is a way to know the refresh token expiry date. The OAuth 2.0 RFC states that the response looks like this:

{
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
}

The expires_in key relates to the access_token and it doesn't look like there is anything else that would indicate the expiry of the refresh token.

Perhaps someone with more OAuth 2.0 experience could clarify this?

gschier picture gschier on 11 Oct 2018

I'll do a more research as well. Thanks.

samovertonjr picture samovertonjr on 12 Oct 2018

The expiration time is actually in the refresh token. For example, we have the following refresh token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbXByZXNhX2lkIjoxLCJ1c3VhcmlvX2lkIjoxLCJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJhdGkiOiJjYmI2NGNkNC1lMzlmLTQ4MjQtYTE1OS1hZTAxMDM3ZDMyZGMiLCJub21lIjoiQWRtaW5pc3RyYWRvciIsImV4cCI6MTU0MDIxNTg0NiwianRpIjoiZGM4NzFhMzUtMTJmZS00ODZmLWI0MjUtNGFmMDYzZTEyMTU0IiwiY2xpZW50X2lkIjoidWFhLWNsaWVudCJ9.abc

If you decode that (https://jwt.io/), you can see that there is a claim called exp, which is a Registered Claim Name at RFC 7519, so it is not a magical string. Also it is not mandatory, which means the refresh token may or may note have it. So, if the exp claim is present in the refresh token, Insomnia will be able to show the expiration time in the UI.

rafaelrenanpacheco picture rafaelrenanpacheco on 15 Oct 2018

Thanks @rafaelrenanpacheco

samovertonjr picture samovertonjr on 15 Oct 2018
👍1

@rafaelrenanpacheco it's my understanding that JWT is not part of the OAuth 2.0 standard. It's possible that an API might use JWT as convention but is not common.

gschier picture gschier on 17 Oct 2018
1

@gschier you are right, JWT is just one of many possibilites to generate access and refresh token. I'm so used to use OAuth2 with JWT that I forgot that.

As you said about the OAuth 2.0 RFC, there's nothing about refresh token expiration. It is entirely up to the backend to accept it indefinitely, to blacklist it or refuse it after some period.

I'm closing this issue, thanks for your attention :+1:

rafaelrenanpacheco picture rafaelrenanpacheco on 17 Oct 2018

I appreciate the insight @rafaelrenanpacheco 馃槃

gschier picture gschier on 18 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

slashsbin picture slashsbin  路  4Comments
artoodeeto picture artoodeeto  路  4Comments
misterpickypants picture misterpickypants  路  3Comments
dextermb picture dextermb  路  3Comments
meixger picture meixger  路  3Comments