exp, iat and client_id_issued_at should be integers

Author: johanlundberg

src/pyop/authz_state.py

@@ -95,7 +95,7 @@ def create_authorization_code(self, authorization_request, subject_identifier, s
         authorization_code = rand_str()
         authz_info = {
             'used': False,
-            'exp': time.time() + self.authorization_code_lifetime,
+            'exp': int(time.time()) + self.authorization_code_lifetime,
             'sub': subject_identifier,
             'granted_scope': scope,
             self.KEY_AUTHORIZATION_REQUEST: authorization_request.to_dict()
@@ -129,8 +129,8 @@ def _create_access_token(self, subject_identifier, auth_req, granted_scope, curr
         logger.debug('creating access token for scope=%s', scope)
 
         authz_info = {
-            'iat': time.time(),
-            'exp': time.time() + self.access_token_lifetime,
+            'iat': int(time.time()),
+            'exp': int(time.time()) + self.access_token_lifetime,
             'sub': subject_identifier,
             'client_id': auth_req['client_id'],
             'aud': [auth_req['client_id']],
@@ -157,9 +157,9 @@ def exchange_code_for_token(self, authorization_code):
         if authz_info['used']:
             logger.debug('detected already used authz_code=%s', authorization_code)
             raise InvalidAuthorizationCode('{} has already been used'.format(authorization_code))
-        elif authz_info['exp'] < time.time():
+        elif authz_info['exp'] < int(time.time()):
             logger.debug('detected expired authz_code=%s, now=%s > exp=%s ',
-                         authorization_code, time.time(), authz_info['exp'])
+                         authorization_code, int(time.time()), authz_info['exp'])
             raise InvalidAuthorizationCode('{} has expired'.format(authorization_code))
 
         authz_info['used'] = True
@@ -181,7 +181,7 @@ def introspect_access_token(self, access_token_value):
 
         authz_info = self.access_tokens[access_token_value]
 
-        introspection = {'active': authz_info['exp'] >= time.time()}
+        introspection = {'active': authz_info['exp'] >= int(time.time())}
 
         introspection_params = {k: v for k, v in authz_info.items() if k in TokenIntrospectionResponse.c_param}
         introspection.update(introspection_params)
@@ -200,7 +200,7 @@ def create_refresh_token(self, access_token_value):
             return None
 
         refresh_token = rand_str()
-        authz_info = {'access_token': access_token_value, 'exp': time.time() + self.refresh_token_lifetime}
+        authz_info = {'access_token': access_token_value, 'exp': int(time.time()) + self.refresh_token_lifetime}
         self.refresh_tokens[refresh_token] = authz_info
 
         logger.debug('issued refresh_token=%s expiring=%d for access_token=%s', refresh_token, authz_info['exp'],
@@ -218,7 +218,7 @@ def use_refresh_token(self, refresh_token, scope=None):
             raise InvalidRefreshToken('{} unknown'.format(refresh_token))
 
         refresh_token_info = self.refresh_tokens[refresh_token]
-        if 'exp' in refresh_token_info and refresh_token_info['exp'] < time.time():
+        if 'exp' in refresh_token_info and refresh_token_info['exp'] < int(time.time()):
             raise InvalidRefreshToken('{} has expired'.format(refresh_token))
 
         authz_info = self.access_tokens[refresh_token_info['access_token']]
@@ -240,7 +240,7 @@ def use_refresh_token(self, refresh_token, scope=None):
         new_refresh_token = None
         if self.refresh_token_threshold \
                 and 'exp' in refresh_token_info \
-                and refresh_token_info['exp'] - time.time() < self.refresh_token_threshold:
+                and refresh_token_info['exp'] - int(time.time()) < self.refresh_token_threshold:
             # refresh token is close to expiry, issue a new one
             new_refresh_token = self.create_refresh_token(new_access_token.value)
         else:

src/pyop/provider.py

@@ -263,8 +263,8 @@ def _create_signed_id_token(self,
         id_token = IdToken(iss=self.configuration_information['issuer'],
                            sub=sub,
                            aud=client_id,
-                           iat=time.time(),
-                           exp=time.time() + self.id_token_lifetime,
+                           iat=int(time.time()),
+                           exp=int(time.time()) + self.id_token_lifetime,
                            **args)
 
         if nonce:
@@ -488,7 +488,7 @@ def handle_client_registration_request(self, request, http_headers=None):
         client_id, client_secret = self._issue_new_client()
         credentials = {
             'client_id': client_id,
-            'client_id_issued_at': time.time(),
+            'client_id_issued_at': int(time.time()),
             'client_secret': client_secret,
             'client_secret_expires_at': 0  # never expires
         }

tests/pyop/test_authz_state.py

@@ -65,7 +65,7 @@ def test_create_authorization_code(self, authorization_state_factory, authorizat
 
         authz_code = authorization_state.create_authorization_code(authorization_request, self.TEST_SUBJECT_IDENTIFIER)
         assert authz_code in authorization_state.authorization_codes
-        assert authorization_state.authorization_codes[authz_code]['exp'] == time.time() + code_lifetime
+        assert authorization_state.authorization_codes[authz_code]['exp'] == int(time.time()) + code_lifetime
         assert authorization_state.authorization_codes[authz_code]['used'] is False
         assert authorization_state.authorization_codes[authz_code][AuthorizationState.KEY_AUTHORIZATION_REQUEST] == \
                authorization_request.to_dict()
@@ -223,7 +223,7 @@ def test_create_refresh_token_with_expiration_time(self, authorization_state_fac
 
         assert refresh_token in authorization_state.refresh_tokens
         assert authorization_state.refresh_tokens[refresh_token]['access_token'] == access_token.value
-        assert authorization_state.refresh_tokens[refresh_token]['exp'] == time.time() + refresh_token_lifetime
+        assert authorization_state.refresh_tokens[refresh_token]['exp'] == int(time.time()) + refresh_token_lifetime
 
     def test_use_refresh_token(self, authorization_state_factory, authorization_request):
         authorization_state = authorization_state_factory(access_token_lifetime=self.TEST_TOKEN_LIFETIME,
@@ -267,7 +267,7 @@ def test_use_refresh_token_issues_new_refresh_token_if_the_old_is_close_to_expir
         old_access_token = authorization_state.create_access_token(authorization_request, self.TEST_SUBJECT_IDENTIFIER)
         refresh_token = authorization_state.create_refresh_token(old_access_token.value)
 
-        close_to_expiration = time.time() + authorization_state.refresh_token_lifetime - 50
+        close_to_expiration = int(time.time()) + authorization_state.refresh_token_lifetime - 50
         with patch('time.time', Mock(return_value=close_to_expiration)):
             new_access_token, new_refresh_token = authorization_state.use_refresh_token(refresh_token)
 

tests/pyop/test_provider.py

@@ -388,7 +388,7 @@ def test_refresh_request_with_refresh_token_close_to_expiry_issues_new_refresh_t
                                                        refresh_token_threshold=2)
         self.refresh_token_request_args['refresh_token'] = self.create_refresh_token()
 
-        close_to_expiration = time.time() + self.provider.authz_state.refresh_token_lifetime - 1
+        close_to_expiration = int(time.time()) + self.provider.authz_state.refresh_token_lifetime - 1
         with patch('time.time', Mock(return_value=close_to_expiration)):
             response = self.provider.handle_token_request(urlencode(self.refresh_token_request_args))
         assert response['access_token'] in self.provider.authz_state.access_tokens