From 072bfb433d28b85868bdee4c46fa40f680d17d96 Mon Sep 17 00:00:00 2001
From: Nikos Sklikas <nsklikas@admin.grnet.gr>
Date: Mon, 31 May 2021 19:40:25 +0300
Subject: [PATCH] Make id token lifetime configurable

---
 src/oidcop/token/id_token.py |  5 ++---
 tests/test_05_id_token.py    | 35 ++++++++++++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/oidcop/token/id_token.py b/src/oidcop/token/id_token.py
index 609e29d8..89531e0d 100755
--- a/src/oidcop/token/id_token.py
+++ b/src/oidcop/token/id_token.py
@@ -25,7 +25,6 @@
     "client_secret_jwt": "HS256",
     "private_key_jwt": "RS256",
 }
-DEF_LIFETIME = 300
 
 
 def include_session_id(endpoint_context, client_id, where):
@@ -241,7 +240,7 @@ def sign_encrypt(
         )
 
         if lifetime is None:
-            lifetime = DEF_LIFETIME
+            lifetime = self.lifetime
 
         _jwt = JWT(_context.keyjar, iss=_context.issuer, lifetime=lifetime, **alg_dict)
 
@@ -261,7 +260,7 @@ def __call__(self, session_id: Optional[str] = "", ttype: Optional[str] = "", **
         else:
             xargs = {}
 
-        lifetime = self.kwargs.get("lifetime")
+        lifetime = self.lifetime
 
         # Weed out stuff that doesn't belong here
         kwargs = {k: v for k, v in kwargs.items() if k in ["encrypt", "code", "access_token"]}
diff --git a/tests/test_05_id_token.py b/tests/test_05_id_token.py
index 8696f76c..a4952805 100644
--- a/tests/test_05_id_token.py
+++ b/tests/test_05_id_token.py
@@ -32,6 +32,7 @@ def full_path(local_file):
 
 USERS = json.loads(open(full_path("users.json")).read())
 USERINFO = UserInfo(USERS)
+LIFETIME = 200
 
 AREQ = AuthorizationRequest(
     response_type="code",
@@ -91,7 +92,8 @@ def full_path(local_file):
                 "base_claims": {
                     "email": {"essential": True},
                     "email_verified": {"essential": True},
-                }
+                },
+                "lifetime": LIFETIME,
             },
         },
     },
@@ -397,6 +399,37 @@ def test_available_claims(self):
         res = _jwt.unpack(id_token.value)
         assert "nickname" in res
 
+    def test_lifetime_default(self):
+        session_id = self._create_session(AREQ)
+        grant = self.session_manager[session_id]
+
+        id_token = self._mint_id_token(grant, session_id)
+
+        client_keyjar = KeyJar()
+        _jwks = self.endpoint_context.keyjar.export_jwks()
+        client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
+        _jwt = JWT(key_jar=client_keyjar, iss="client_1")
+        res = _jwt.unpack(id_token.value)
+
+        assert res["exp"] - res["iat"] == LIFETIME
+
+    def test_lifetime(self):
+        lifetime = 100
+
+        self.session_manager.token_handler["id_token"].lifetime = lifetime
+        session_id = self._create_session(AREQ)
+        grant = self.session_manager[session_id]
+
+        id_token = self._mint_id_token(grant, session_id)
+
+        client_keyjar = KeyJar()
+        _jwks = self.endpoint_context.keyjar.export_jwks()
+        client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
+        _jwt = JWT(key_jar=client_keyjar, iss="client_1")
+        res = _jwt.unpack(id_token.value)
+
+        assert res["exp"] - res["iat"] == lifetime
+
     def test_no_available_claims(self):
         session_id = self._create_session(AREQ)
         grant = self.session_manager[session_id]