Add OIDC property for configuring internal ID token lifespan

quarkusio · Jan 5, 2023 · 7bda9b6 · 7bda9b6
1 parent 5837733
commit 7bda9b6
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 4 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -794,6 +794,13 @@ public enum ResponseMode {
         @ConfigItem(defaultValueDocumentation = "true")
         public Optional<Boolean> idTokenRequired = Optional.empty();
 
+        /**
+         * Internal ID token lifespan.
+         * This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.
+         */
+        @ConfigItem(defaultValueDocumentation = "5M")
+        public Optional<Duration> internalIdTokenLifespan = Optional.empty();
+
         /**
          * Requires that a Proof Key for Code Exchange (PKCE) is used.
          */
@@ -808,6 +815,14 @@ public enum ResponseMode {
         @ConfigItem
         public Optional<String> pkceSecret = Optional.empty();
 
+        public Optional<Duration> getInternalIdTokenLifespan() {
+            return internalIdTokenLifespan;
+        }
+
+        public void setInternalIdTokenLifespan(Duration internalIdTokenLifespan) {
+            this.internalIdTokenLifespan = Optional.of(internalIdTokenLifespan);
+        }
+
         public Optional<Boolean> isPkceRequired() {
             return pkceRequired;
         }

diff --git a/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -743,6 +743,9 @@ private String generateInternalIdToken(OidcTenantConfig oidcConfig, UserInfo use
         if (userInfo != null) {
             builder.claim(OidcUtils.USER_INFO_ATTRIBUTE, userInfo.getJsonObject());
         }
+        if (oidcConfig.authentication.internalIdTokenLifespan.isPresent()) {
+            builder.expiresIn(oidcConfig.authentication.internalIdTokenLifespan.get().getSeconds());
+        }
         return builder.jws().header(INTERNAL_IDTOKEN_HEADER, true)
                 .sign(KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcConfig.credentials)));
     }

diff --git a/...-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java b/...-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java
@@ -1,5 +1,6 @@
 package io.quarkus.it.keycloak;
 
+import java.time.Duration;
 import java.util.Map;
 
 import javax.enterprise.context.ApplicationScoped;
@@ -40,6 +41,7 @@ public Uni<OidcTenantConfig> resolve(RoutingContext context,
                     .setSecret("AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow");
             config.getCodeGrant().setHeaders(Map.of("X-Custom", "XCustomHeaderValue"));
             config.getCodeGrant().setExtraParams(Map.of("extra-param", "extra-param-value"));
+            config.getAuthentication().setInternalIdTokenLifespan(Duration.ofSeconds(301));
             return Uni.createFrom().item(config);
         }
 

diff --git a/...n-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java b/...n-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java
@@ -207,14 +207,14 @@ public void testCodeFlowFormPostAndFrontChannelLogout() throws IOException {
     public void testCodeFlowUserInfo() throws IOException {
         defineCodeFlowAuthorizationOauth2TokenStub();
 
-        doTestCodeFlowUserInfo("code-flow-user-info-only");
-        doTestCodeFlowUserInfo("code-flow-user-info-github");
-        doTestCodeFlowUserInfo("code-flow-user-info-dynamic-github");
+        doTestCodeFlowUserInfo("code-flow-user-info-only", 300);
+        doTestCodeFlowUserInfo("code-flow-user-info-github", 300);
+        doTestCodeFlowUserInfo("code-flow-user-info-dynamic-github", 301);
 
         doTestCodeFlowUserInfoCashedInIdToken();
     }
 
-    private void doTestCodeFlowUserInfo(String tenantId) throws IOException {
+    private void doTestCodeFlowUserInfo(String tenantId, long internalIdTokenLifetime) throws IOException {
         try (final WebClient webClient = createWebClient()) {
             webClient.getOptions().setRedirectEnabled(true);
             HtmlPage page = webClient.getPage("http://localhost:8081/" + tenantId);
@@ -231,6 +231,9 @@ private void doTestCodeFlowUserInfo(String tenantId) throws IOException {
             assertNotNull(sessionCookie);
             JsonObject idTokenClaims = OidcUtils.decodeJwtContent(sessionCookie.getValue().split("\\|")[0]);
             assertNull(idTokenClaims.getJsonObject(OidcUtils.USER_INFO_ATTRIBUTE));
+            long issuedAt = idTokenClaims.getLong("iat");
+            long expiresAt = idTokenClaims.getLong("exp");
+            assertEquals(internalIdTokenLifetime, expiresAt - issuedAt);
             webClient.getCookieManager().clearCookies();
         }
     }