Skip to content
This repository was archived by the owner on Jun 23, 2023. It is now read-only.

Commit 0af265b

Browse files
roherohe
authored
Merge pull request #77 from nsklikas/fix-id-token-lifetime
Make id token lifetime configurable
2 parents b88dff6 + 072bfb4 commit 0af265b

2 files changed

Lines changed: 36 additions & 4 deletions

File tree

src/oidcop/token/id_token.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@
2525
"client_secret_jwt": "HS256",
2626
"private_key_jwt": "RS256",
2727
}
28-
DEF_LIFETIME = 300
2928

3029

3130
def include_session_id(endpoint_context, client_id, where):
@@ -241,7 +240,7 @@ def sign_encrypt(
241240
)
242241

243242
if lifetime is None:
244-
lifetime = DEF_LIFETIME
243+
lifetime = self.lifetime
245244

246245
_jwt = JWT(_context.keyjar, iss=_context.issuer, lifetime=lifetime, **alg_dict)
247246

@@ -261,7 +260,7 @@ def __call__(self, session_id: Optional[str] = "", ttype: Optional[str] = "", **
261260
else:
262261
xargs = {}
263262

264-
lifetime = self.kwargs.get("lifetime")
263+
lifetime = self.lifetime
265264

266265
# Weed out stuff that doesn't belong here
267266
kwargs = {k: v for k, v in kwargs.items() if k in ["encrypt", "code", "access_token"]}

tests/test_05_id_token.py

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ def full_path(local_file):
3232

3333
USERS = json.loads(open(full_path("users.json")).read())
3434
USERINFO = UserInfo(USERS)
35+
LIFETIME = 200
3536

3637
AREQ = AuthorizationRequest(
3738
response_type="code",
@@ -91,7 +92,8 @@ def full_path(local_file):
9192
"base_claims": {
9293
"email": {"essential": True},
9394
"email_verified": {"essential": True},
94-
}
95+
},
96+
"lifetime": LIFETIME,
9597
},
9698
},
9799
},
@@ -397,6 +399,37 @@ def test_available_claims(self):
397399
res = _jwt.unpack(id_token.value)
398400
assert "nickname" in res
399401

402+
def test_lifetime_default(self):
403+
session_id = self._create_session(AREQ)
404+
grant = self.session_manager[session_id]
405+
406+
id_token = self._mint_id_token(grant, session_id)
407+
408+
client_keyjar = KeyJar()
409+
_jwks = self.endpoint_context.keyjar.export_jwks()
410+
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
411+
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
412+
res = _jwt.unpack(id_token.value)
413+
414+
assert res["exp"] - res["iat"] == LIFETIME
415+
416+
def test_lifetime(self):
417+
lifetime = 100
418+
419+
self.session_manager.token_handler["id_token"].lifetime = lifetime
420+
session_id = self._create_session(AREQ)
421+
grant = self.session_manager[session_id]
422+
423+
id_token = self._mint_id_token(grant, session_id)
424+
425+
client_keyjar = KeyJar()
426+
_jwks = self.endpoint_context.keyjar.export_jwks()
427+
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
428+
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
429+
res = _jwt.unpack(id_token.value)
430+
431+
assert res["exp"] - res["iat"] == lifetime
432+
400433
def test_no_available_claims(self):
401434
session_id = self._create_session(AREQ)
402435
grant = self.session_manager[session_id]

0 commit comments

Comments
 (0)