Description
Describe the bug
The createSessionCookie REST API supports a validDuration between five minutes and fourteen days. Ref https://cloud.google.com/identity-platform/docs/reference/rest/v1/projects/createSessionCookie
Using session_cookie::create to obtain a session cookie it is not possible to retrieve a cookie with a duration greater than sixty minutes.
This is caused because of the below line which reuses the cookie duration when requesting a OAuth token.
let assertion = crate::jwt::session_cookie::create_jwt_encoded(credentials, duration)?;
The request for the OAuth token (POST https://accounts.google.com/o/oauth2/token) with a duration greater than sixty minutes will return:
{
"error":"invalid_grant",
"error_description":"Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim."
}
Specifying a duration less than sixty minutes for session_cookie::create will work as expected.
I propose that as the a oauth token is requested every time session_cookie::create is called the JWT duration for getting the oauth token should be reduced to a constant between one to five minutes.
To Reproduce
Steps to reproduce the behavior:
- call
session_cookie::createwith a duration more than sixty minutes.
Expected behavior
A duration between five and fourteen days should return successfully.