From c48a6bc59e0831acb910508e191a69085453bbfd Mon Sep 17 00:00:00 2001
From: Vladislav Ivanov <vlad@ivanov.email>
Date: Fri, 7 Apr 2023 23:46:26 +0200
Subject: [PATCH] Fix bearer token expiration check (fixes #3779)

Signed-off-by: Vladislav Ivanov <vlad@ivanov.email>
(cherry picked from commit fc834f5524f3c7b4baffd3408ce6c41c190e9c6e)
---
 util/resolver/authorizer.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/util/resolver/authorizer.go b/util/resolver/authorizer.go
index 6a4140d68b1b..d97d32dd6f5d 100644
--- a/util/resolver/authorizer.go
+++ b/util/resolver/authorizer.go
@@ -356,7 +356,15 @@ func (ah *authHandler) fetchToken(ctx context.Context, sm *session.Manager, g se
 		if resp.ExpiresIn == 0 {
 			resp.ExpiresIn = defaultExpiration
 		}
-		issuedAt, expires = time.Unix(resp.IssuedAt, 0), int(resp.ExpiresIn)
+		expires = int(resp.ExpiresIn)
+		// We later check issuedAt.isZero, which would return
+		// false if converted from zero Unix time. Therefore,
+		// zero time value in response is handled separately
+		if resp.IssuedAt == 0 {
+			issuedAt = time.Time{}
+		} else {
+			issuedAt = time.Unix(resp.IssuedAt, 0)
+		}
 		token = resp.Token
 		return nil, nil
 	}