fix: add configurable ttl.logout_token and optional exp claim

Author: ktsu2i

consent/strategy_default.go

@@ -711,14 +711,20 @@ func (s *defaultStrategy) executeBackChannelLogout(ctx context.Context, r *http.
 		// s.r.ConsentManager().GetForcedObfuscatedLoginSession(context.Background(), subject, <missing>)
 		// sub := s.obfuscateSubjectIdentifier(c, subject, )
 
-		t, _, err := s.r.OpenIDJWTSigner().Generate(ctx, jwt.MapClaims{
+		now := time.Now().UTC()
+		claims := jwt.MapClaims{
 			"iss":    s.r.Config().IssuerURL(ctx).String(),
 			"aud":    []string{c.ID},
-			"iat":    time.Now().UTC().Unix(),
+			"iat":    now.Unix(),
 			"jti":    uuid.New(),
 			"events": map[string]struct{}{"http://schemas.openid.net/event/backchannel-logout": {}},
 			"sid":    sid,
-		}, &jwt.Headers{
+		}
+		if logoutTokenLifespan := s.r.Config().GetLogoutTokenLifespan(ctx); logoutTokenLifespan > 0 {
+			claims["exp"] = now.Add(logoutTokenLifespan).Unix()
+		}
+
+		t, _, err := s.r.OpenIDJWTSigner().Generate(ctx, claims, &jwt.Headers{
 			Extra: map[string]interface{}{"kid": openIDKeyID},
 		})
 		if err != nil {

consent/strategy_logout_test.go

@@ -332,6 +332,7 @@ func TestLogoutFlows(t *testing.T) {
 			assert.EqualValues(t, <-sid, logoutToken.Get("sid").String(), logoutToken.Raw)
 			assert.Empty(t, logoutToken.Get("sub").String(), logoutToken.Raw) // The sub claim should be empty because it doesn't work with forced obfuscation and thus we can't easily recover it.
 			assert.Empty(t, logoutToken.Get("nonce").String(), logoutToken.Raw)
+			assert.False(t, logoutToken.Get("exp").Exists(), "exp claim should not be present when ttl.logout_token is not set")
 		})
 
 		t.Run("method=get", testExpectPostLogoutPage(createBrowserWithSession(t, c), http.MethodGet, url.Values{}, defaultRedirectedMessage))
@@ -342,6 +343,36 @@ func TestLogoutFlows(t *testing.T) {
 		backChannelWG.Wait() // we want to ensure that all back channels have been called!
 	})
 
+	t.Run("case=should include exp claim in logout token when ttl.logout_token is set", func(t *testing.T) {
+		require.NoError(t, reg.Config().Source(ctx).Set(config.KeyLogoutTokenLifespan, "2m"))
+		t.Cleanup(func() {
+			require.NoError(t, reg.Config().Source(ctx).Set(config.KeyLogoutTokenLifespan, "0s"))
+		})
+
+		sid := acceptLoginAsAndWatchSid(t, subject)
+
+		logoutWg := newWg(2)
+		setupCheckAndAcceptLogoutHandler(t, logoutWg, nil)
+
+		backChannelWG := newWg(2)
+		c := createClientWithBackchannelLogout(t, backChannelWG, func(t *testing.T, logoutToken gjson.Result) {
+			assert.EqualValues(t, <-sid, logoutToken.Get("sid").String(), logoutToken.Raw)
+			assert.True(t, logoutToken.Get("exp").Exists(), "exp claim should be present when ttl.logout_token is set")
+
+			iat := logoutToken.Get("iat").Int()
+			exp := logoutToken.Get("exp").Int()
+			diff := exp - iat
+			assert.InDelta(t, 120, diff, 2, "exp should be approximately iat + 120 seconds")
+		})
+
+		t.Run("method=get", testExpectPostLogoutPage(createBrowserWithSession(t, c), http.MethodGet, url.Values{}, defaultRedirectedMessage))
+
+		t.Run("method=post", testExpectPostLogoutPage(createBrowserWithSession(t, c), http.MethodPost, url.Values{}, defaultRedirectedMessage))
+
+		logoutWg.Wait()
+		backChannelWG.Wait()
+	})
+
 	// Only do GET requests from here on out, POST should be tested enough to ensure that it is working fine already.
 
 	t.Run("case=should fail several flows when id_token_hint is invalid", func(t *testing.T) {

driver/config/provider.go

@@ -75,6 +75,7 @@ const (
 	KeyIDTokenLifespan                           = "ttl.id_token"      // #nosec G101
 	KeyAuthCodeLifespan                          = "ttl.auth_code"
 	KeyDeviceAndUserCodeLifespan                 = "ttl.device_user_code"
+	KeyLogoutTokenLifespan                       = "ttl.logout_token" // #nosec G101
 	KeyAuthenticationSessionLifespan             = "ttl.authentication_session"
 	KeyScopeStrategy                             = "strategies.scope"
 	KeyGetCookieSecrets                          = "secrets.cookie"
@@ -414,6 +415,11 @@ func (p *DefaultProvider) GetDeviceAndUserCodeLifespan(ctx context.Context) time
 	return p.p.DurationF(KeyDeviceAndUserCodeLifespan, time.Minute*15)
 }
 
+// GetLogoutTokenLifespan returns the logout_token lifespan. Defaults to 0 (no exp claim).
+func (p *DefaultProvider) GetLogoutTokenLifespan(ctx context.Context) time.Duration {
+	return p.p.DurationF(KeyLogoutTokenLifespan, 0)
+}
+
 // GetAuthenticationSessionLifespan returns the authentication_session lifespan.
 func (p *DefaultProvider) GetAuthenticationSessionLifespan(ctx context.Context) time.Duration {
 	lifespan := p.p.Duration(KeyAuthenticationSessionLifespan)

spec/config.json

@@ -726,6 +726,15 @@
               "$ref": "#/definitions/duration"
             }
           ]
+        },
+        "logout_token": {
+          "description": "Configures how long logout tokens are valid. If set to 0 or left unset, no exp claim will be added to the logout token (preserving backward compatibility). The OpenID Connect Back-Channel Logout specification recommends a value of at most two minutes (e.g. \"2m\").",
+          "type": "string",
+          "allOf": [
+            {
+              "$ref": "#/definitions/duration"
+            }
+          ]
         }
       }
     },