From e0f1a23812d54add51d7ad9d38cb215d73483f57 Mon Sep 17 00:00:00 2001
From: randomowo <dev@randomowo.dev>
Date: Wed, 22 Oct 2025 13:28:45 +0300
Subject: [PATCH 1/2] fix: check expires_at when get grant public key

---
 persistence/sql/persister_grant_jwk.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/persistence/sql/persister_grant_jwk.go b/persistence/sql/persister_grant_jwk.go
index a1bf601384c..f2286493162 100644
--- a/persistence/sql/persister_grant_jwk.go
+++ b/persistence/sql/persister_grant_jwk.go
@@ -137,7 +137,12 @@ func (p *Persister) GetPublicKey(ctx context.Context, issuer string, subject str
 		tableName += "@hydra_oauth2_trusted_jwt_bearer_issuer_nid_uq_idx"
 	}
 
-	sql := fmt.Sprintf(`SELECT key_set FROM %s WHERE key_id = ? AND nid = ? AND issuer = ? AND (subject = ? OR allow_any_subject IS TRUE) LIMIT 1`, tableName)
+	expiresAt := "expires_at > NOW()"
+	if p.Connection(ctx).Dialect.Name() == "sqlite3" {
+		expiresAt = "expires_at > datetime('now')"
+	}
+
+	sql := fmt.Sprintf(`SELECT key_set FROM %s WHERE key_id = ? AND nid = ? AND issuer = ? AND (subject = ? OR allow_any_subject IS TRUE) AND %s LIMIT 1`, tableName, expiresAt)
 	query := p.Connection(ctx).RawQuery(sql,
 		keyId, p.NetworkID(ctx), issuer, subject,
 	)

From f19337ef1af15720d17bf4c0221b40b45ec3f36c Mon Sep 17 00:00:00 2001
From: randomowo <dev@randomowo.dev>
Date: Wed, 22 Oct 2025 14:13:37 +0300
Subject: [PATCH 2/2] test: add test for expired grant

---
 oauth2/fosite_store_helpers_test.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/oauth2/fosite_store_helpers_test.go b/oauth2/fosite_store_helpers_test.go
index 6a5b0aa5f9b..a4d231292d5 100644
--- a/oauth2/fosite_store_helpers_test.go
+++ b/oauth2/fosite_store_helpers_test.go
@@ -1253,6 +1253,31 @@ func testFositeJWTBearerGrantStorage(x *driver.RegistrySQL) func(t *testing.T) {
 			require.NotEmpty(t, jwks.Keys)
 		})
 
+		t.Run("case=does not found expired grant", func(t *testing.T) {
+			keySet, err := jwk.GenerateJWK(jose.RS256, uuid.Must(uuid.NewV4()).String(), "sig")
+			require.NoError(t, err)
+
+			publicKey := keySet.Keys[0].Public()
+			issuer := uuid.Must(uuid.NewV4()).String()
+			subject := uuid.Must(uuid.NewV4()).String()
+			grant := trust.Grant{
+				ID:              uuid.Must(uuid.NewV4()),
+				Issuer:          issuer,
+				Subject:         subject,
+				AllowAnySubject: true,
+				Scope:           []string{"openid", "offline"},
+				PublicKey:       trust.PublicKey{Set: issuer, KeyID: publicKey.KeyID},
+				CreatedAt:       time.Now().UTC().Round(time.Second),
+				ExpiresAt:       time.Now().UTC().Round(time.Second).AddDate(-1, 0, 0),
+			}
+
+			require.NoError(t, grantManager.CreateGrant(ctx, grant, publicKey))
+
+			key, err := grantStorage.GetPublicKey(ctx, issuer, subject, publicKey.KeyID)
+			require.Error(t, err)
+			assert.Nil(t, key)
+		})
+
 		t.Run("case=does not return expired values", func(t *testing.T) {
 			keySet, err := jwk.GenerateJWK(jose.RS256, uuid.Must(uuid.NewV4()).String(), "sig")
 			require.NoError(t, err)