add the exp claim to the backchannel logout token
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4. As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time. resolves #25753 Signed-off-by: Niko Köbler <niko@n-k.de>
This commit is contained in:
parent
a420b46913
commit
5e623f42d4
2 changed files with 6 additions and 0 deletions
|
@ -19,6 +19,7 @@ package org.keycloak.jose.jws;
|
|||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.Token;
|
||||
import org.keycloak.TokenCategory;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.crypto.Algorithm;
|
||||
import org.keycloak.crypto.CekManagementProvider;
|
||||
import org.keycloak.crypto.ClientSignatureVerifierProvider;
|
||||
|
@ -54,6 +55,7 @@ import org.keycloak.util.TokenUtil;
|
|||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.security.Key;
|
||||
import java.time.Duration;
|
||||
import java.util.Comparator;
|
||||
import java.util.Optional;
|
||||
import java.util.function.BiConsumer;
|
||||
|
@ -327,6 +329,7 @@ public class DefaultTokenManager implements TokenManager {
|
|||
LogoutToken token = new LogoutToken();
|
||||
token.id(KeycloakModelUtils.generateId());
|
||||
token.issuedNow();
|
||||
token.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
|
||||
token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
|
||||
token.putEvents(TokenUtil.TOKEN_BACKCHANNEL_LOGOUT_EVENT, JsonSerialization.createObjectNode());
|
||||
token.addAudience(client.getClientId());
|
||||
|
|
|
@ -2,6 +2,7 @@ package org.keycloak.testsuite.util;
|
|||
|
||||
import org.keycloak.OAuth2Constants;
|
||||
import org.keycloak.common.util.Base64Url;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.crypto.JavaAlgorithm;
|
||||
import org.keycloak.jose.jws.Algorithm;
|
||||
import org.keycloak.jose.jws.JWSHeader;
|
||||
|
@ -15,6 +16,7 @@ import java.security.NoSuchAlgorithmException;
|
|||
import java.security.PrivateKey;
|
||||
import java.security.Signature;
|
||||
import java.security.SignatureException;
|
||||
import java.time.Duration;
|
||||
import java.util.HashMap;
|
||||
import java.util.UUID;
|
||||
|
||||
|
@ -35,6 +37,7 @@ public class LogoutTokenUtil {
|
|||
logoutToken.issuer(issuer);
|
||||
logoutToken.id(UUID.randomUUID().toString());
|
||||
logoutToken.issuedNow();
|
||||
logoutToken.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
|
||||
logoutToken.audience(clientId);
|
||||
|
||||
String logoutTokenPayloadEncoded = Base64Url.encode(JsonSerialization.writeValueAsBytes(logoutToken));
|
||||
|
|
Loading…
Reference in a new issue