extend AUTHORIZATION_CODE_EXPIRE_SECONDS #1211
Comments
|
Seems like this makes sense to match the RFC recommendation. Perhaps check if updates to 6749 have changed the recommendation (look for OAuth 2 BCPs, Oauth2.1, etc.) and then submit a PR |
|
@n2ygk I found a couple of BCPs that update this RFC, non of them refer to this AUTHORIZATION_CODE expire time.
So, it's your call really, just lmk if you want that i submit the PR changing the time. |
|
@matiseni51 thanks for researching this. If seems like we should keep the current value then as we should always trend toward more secure and changing this default would weaken security for current users of the default. Those who need to extended it can always do so via the settings. Unfortunately the current documentation doesn't match the code and is misleading. Perhaps a PR to clarify the documentation is in order as the RFC says:
While the documentation incorrectly states:
|
Hi!
Is your feature request related to a problem? Please describe.
For the
grant_type=authorization_code:It was kind of annoying that you have just a few seconds to make the call to authorize the App and get the code, I always had to extend the expire time.
Describe the solution you'd like
I suggest change the default time (https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/settings.py#L52)
from
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 60to
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 600(I think it's just there)
Describe alternatives you've considered
The alternative i'm currently using is just adding this key to my settings
Additional context
I'm only suggestting this change because i spent quite some time looking how to modify this and, i found out that there's a recommendation already in the docs.
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
Of course, probably i might being missing something and in that case just discard this issue.
btw thanks for the library!
The text was updated successfully, but these errors were encountered: