add the exp claim to the backchannel logout token

This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4. As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time. resolves #25753 Signed-off-by: Niko Köbler <niko@n-k.de> (cherry picked from commit 5e623f4)
keycloak · Dec 27, 2023 · 9659182 · 9659182
1 parent ca7b8d6
commit 9659182
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java b/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java
@@ -19,6 +19,7 @@
 import org.jboss.logging.Logger;
 import org.keycloak.Token;
 import org.keycloak.TokenCategory;
+import org.keycloak.common.util.Time;
 import org.keycloak.crypto.Algorithm;
 import org.keycloak.crypto.CekManagementProvider;
 import org.keycloak.crypto.ClientSignatureVerifierProvider;
@@ -54,6 +55,7 @@
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.Key;
+import java.time.Duration;
 import java.util.Comparator;
 import java.util.Optional;
 import java.util.function.BiConsumer;
@@ -327,6 +329,7 @@ public LogoutToken initLogoutToken(ClientModel client, UserModel user,
         LogoutToken token = new LogoutToken();
         token.id(KeycloakModelUtils.generateId());
         token.issuedNow();
+        token.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
         token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
         token.putEvents(TokenUtil.TOKEN_BACKCHANNEL_LOGOUT_EVENT, JsonSerialization.createObjectNode());
         token.addAudience(client.getClientId());

diff --git a/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/LogoutTokenUtil.java b/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/LogoutTokenUtil.java
@@ -2,6 +2,7 @@
 
 import org.keycloak.OAuth2Constants;
 import org.keycloak.common.util.Base64Url;
+import org.keycloak.common.util.Time;
 import org.keycloak.crypto.JavaAlgorithm;
 import org.keycloak.jose.jws.Algorithm;
 import org.keycloak.jose.jws.JWSHeader;
@@ -15,6 +16,7 @@
 import java.security.PrivateKey;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.time.Duration;
 import java.util.HashMap;
 import java.util.UUID;
 
@@ -35,6 +37,7 @@ public static String generateSignedLogoutToken(PrivateKey privateKey, String key
         logoutToken.issuer(issuer);
         logoutToken.id(UUID.randomUUID().toString());
         logoutToken.issuedNow();
+        logoutToken.exp(Time.currentTime() + Duration.ofMinutes(2).getSeconds());
         logoutToken.audience(clientId);
 
         String logoutTokenPayloadEncoded = Base64Url.encode(JsonSerialization.writeValueAsBytes(logoutToken));