add the exp claim to the backchannel logout token

This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.

As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.

resolves #25753

Signed-off-by: Niko Köbler <niko@n-k.de>
This commit is contained in:
Niko Köbler 2023-12-21 23:47:56 +01:00 committed by Alexander Schwartz
parent a420b46913
commit 5e623f42d4
2 changed files with 6 additions and 0 deletions

View file

@ -19,6 +19,7 @@ package org.keycloak.jose.jws;
import org.jboss.logging.Logger;
import org.keycloak.Token;
import org.keycloak.TokenCategory;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ClientSignatureVerifierProvider;
@ -54,6 +55,7 @@ import org.keycloak.util.TokenUtil;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.time.Duration;
import java.util.Comparator;
import java.util.Optional;
import java.util.function.BiConsumer;
@ -327,6 +329,7 @@ public class DefaultTokenManager implements TokenManager {
LogoutToken token = new LogoutToken();
token.id(KeycloakModelUtils.generateId());
token.issuedNow();
token.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
token.putEvents(TokenUtil.TOKEN_BACKCHANNEL_LOGOUT_EVENT, JsonSerialization.createObjectNode());
token.addAudience(client.getClientId());

View file

@ -2,6 +2,7 @@ package org.keycloak.testsuite.util;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSHeader;
@ -15,6 +16,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.time.Duration;
import java.util.HashMap;
import java.util.UUID;
@ -35,6 +37,7 @@ public class LogoutTokenUtil {
logoutToken.issuer(issuer);
logoutToken.id(UUID.randomUUID().toString());
logoutToken.issuedNow();
logoutToken.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
logoutToken.audience(clientId);
String logoutTokenPayloadEncoded = Base64Url.encode(JsonSerialization.writeValueAsBytes(logoutToken));