refactor!: expiresWithSession on authorization endpoint access tokens

BREAKING CHANGE: `expiresWithSession()` for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
panva · Dec 1, 2022 · cb67083 · cb67083
1 parent 9859969
commit cb67083
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -2190,7 +2190,7 @@ _**default value**_:
 
 ### expiresWithSession
 
-Function used to decide whether the given authorization code/ device code or implicit returned access token be bound to the user session. This will be applied to all tokens issued from the authorization / device code in the future. When tokens are session-bound the session will be loaded by its `uid` every time the token is encountered. Session bound tokens will effectively get revoked if the end-user logs out.  
+Function used to decide whether the given authorization code/ device code or implicit returned opaque access token be bound to the user session. This will be applied to all tokens issued from the authorization / device code in the future. When tokens are session-bound the session will be loaded by its `uid` every time the token is encountered. Session bound tokens will effectively get revoked if the end-user logs out.  
 
 
 _**default value**_:

diff --git a/lib/actions/authorization/process_response_types.js b/lib/actions/authorization/process_response_types.js
@@ -42,10 +42,12 @@ async function tokenHandler(ctx) {
     token.scope = grant.getOIDCScopeFiltered(ctx.oidc.requestParamOIDCScopes);
   }
 
-  if (await expiresWithSession(ctx, token)) {
-    token.expiresWithSession = true;
-  } else {
-    ctx.oidc.session.authorizationFor(ctx.oidc.client.clientId).persistsLogout = true;
+  if (!token.resourceServer || token.resourceServer.accessTokenFormat === 'opaque') {
+    if (await expiresWithSession(ctx, token)) {
+      token.expiresWithSession = true;
+    } else {
+      ctx.oidc.session.authorizationFor(ctx.oidc.client.clientId).persistsLogout = true;
+    }
   }
 
   ctx.oidc.entity('AccessToken', token);

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1917,7 +1917,7 @@ function makeDefaults() {
     /*
      * expiresWithSession
      * description: Function used to decide whether the given authorization code/ device code
-     *   or implicit returned access token be bound to the user session. This will be applied to all
+     *   or implicit returned opaque access token be bound to the user session. This will be applied to all
      *   tokens issued from the authorization / device code in the future. When tokens are session-bound
      *   the session will be loaded by its `uid` every time the token is encountered. Session bound
      *   tokens will effectively get revoked if the end-user logs out.