Wrong timezone is applied to expiry token #1291
Description
Describe the bug
The _get_token_from_authentication_server interprets the expire date wrong. The token is read from content['exp'] which is defined as NumericDate which in turn is defined as UNIX UTC Timestamp (seconds since epoch). The exp is converted to a date using utcfromtimestamp followed by make_aware to turn it into a timezone aware date. The latter uses the timezone as chosen for you project, while it should use the UTC timezone. Now given a timezone +2 and an access token which expires after an hour, the access token will be invalid because it's in the past.
To Reproduce
- Setup identity provider that serves access token with ACCESS_TOKEN_EXPIRE_SECONDS set to 3600
- Setup a resource server with timezone set to TIME_ZONE = "Europe/Amsterdam" (+2)
- Request Access Token and try to access Resource Server
- Access Token is always expired
Expected behavior
Access token is invalid
Version
django-oauth-toolkit==2.3.0
- I have tested with the latest published release and it's still a problem.
- I have tested with the master branch and it's still a problem.
Additional context
It's rather easy to fix changing:
- expires = make_aware(expires) if settings.USE_TZ else expires`
+ expires = make_aware(expires, timezone=pytz.UTC) if settings.USE_TZ else expires`
For backwards compatibility it would be better to has a setting which allows you to changes the timezone specifically for the expire token.