oauth2: Resolves flaky MySQL tests on Circle-CI

Closes #861
ory · May 20, 2018 · fcd9180 · fcd9180
1 parent 127561c
commit fcd9180
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -75,7 +75,7 @@
 
 [[constraint]]
   name = "github.com/ory/fosite"
-  version = "0.19.2"
+  version = "0.19.3"
 
 [[constraint]]
   name = "github.com/ory/graceful"

diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -289,6 +289,13 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 		return nil, errors.WithStack(fosite.ErrServerError.WithDebug("The login request is marked as remember, but the subject from the login confirmation does not match the original subject from the cookie."))
 	}
 
+	authTime := session.AuthenticatedAt
+	if session.AuthenticatedAt.After(session.RequestedAt) {
+		// If we authenticated after the initial request hit the /oauth2/auth endpoint, we can update the
+		// auth time to now which will resolve issues with very short max_age times
+		authTime = time.Now().UTC()
+	}
+
 	if err := s.OpenIDConnectRequestValidator.ValidatePrompt(&fosite.AuthorizeRequest{
 		ResponseTypes: req.GetResponseTypes(),
 		RedirectURI:   req.GetRedirectURI(),
@@ -306,7 +313,7 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 					Subject:     session.Subject,
 					IssuedAt:    time.Now().UTC(),                // doesn't matter
 					ExpiresAt:   time.Now().Add(time.Hour).UTC(), // doesn't matter
-					AuthTime:    session.AuthenticatedAt,
+					AuthTime:    authTime,
 					RequestedAt: session.RequestedAt,
 				},
 				Headers: &jwt.Headers{},

diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
@@ -451,14 +451,16 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 				},
 				{
 					d:       "should not cause issues if max_age is very low and consent takes a long time",
-					authURL: oauthConfig.AuthCodeURL("some-hardcoded-state") + "&max_age=1",
+					authURL: oauthConfig.AuthCodeURL("some-hardcoded-state") + "&max_age=3",
 					//cj:      persistentCJ,
 					lph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) {
 						return func(w http.ResponseWriter, r *http.Request) {
 							_, res, err := apiClient.GetLoginRequest(r.URL.Query().Get("login_challenge"))
 							require.NoError(t, err)
 							require.EqualValues(t, http.StatusOK, res.StatusCode)
 
+							time.Sleep(time.Second * 5)
+
 							v, res, err := apiClient.AcceptLoginRequest(r.URL.Query().Get("login_challenge"), swagger.AcceptLoginRequest{Subject: "user-a"})
 							require.NoError(t, err)
 							require.EqualValues(t, http.StatusOK, res.StatusCode)
@@ -472,7 +474,7 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 							require.NoError(t, err)
 							require.EqualValues(t, http.StatusOK, res.StatusCode)
 
-							time.Sleep(time.Second * 2)
+							time.Sleep(time.Second * 5)
 
 							v, res, err := apiClient.AcceptConsentRequest(r.URL.Query().Get("consent_challenge"), swagger.AcceptConsentRequest{
 								GrantScope: []string{"hydra", "openid"},