jetty · lachlan-roberts · Apr 11, 2023 · Mar 13, 2023 · Mar 16, 2023 · Mar 17, 2023
diff --git a/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-openid/src/main/config/etc/jetty-openid.xml
@@ -38,6 +38,9 @@
         <Set name="authenticateNewUsers">
           <Property name="jetty.openid.authenticateNewUsers" default="false"/>
         </Set>
+        <Set name="respectIdTokenExpiry">
+          <Property name="jetty.openid.respectIdTokenExpiry" default="false"/>
+        </Set>
         <Call name="addScopes">
           <Arg>
             <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">

diff --git a/jetty-openid/src/main/config/modules/openid.mod b/jetty-openid/src/main/config/modules/openid.mod
@@ -45,3 +45,6 @@ etc/jetty-openid.xml
 
 ## What authentication method to use with the Token Endpoint (client_secret_post, client_secret_basic).
 # jetty.openid.authMethod=client_secret_post
+
+## Whether the user should be logged out after the idToken expiry.
+# jetty.openid.respectIdTokenExpiry=false
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
@@ -248,6 +248,11 @@ public UserIdentity login(String username, Object credentials, ServletRequest re
     public void logout(ServletRequest request)
     {
         attemptLogoutRedirect(request);
+        logoutWithoutRedirect(request);
+    }
+
+    private void logoutWithoutRedirect(ServletRequest request)
+    {
         super.logout(request);
         HttpServletRequest httpRequest = (HttpServletRequest)request;
         HttpSession session = httpRequest.getSession(false);
@@ -265,13 +270,13 @@ public void logout(ServletRequest request)
     }
 
     /**
-     * This will attempt to redirect the request to the end_session_endpoint, and finally to the {@link #REDIRECT_PATH}.
+     * <p>This will attempt to redirect the request to the end_session_endpoint, and finally to the {@link #REDIRECT_PATH}.</p>
      *
-     * If end_session_endpoint is defined the request will be redirected to the end_session_endpoint, the optional
-     * post_logout_redirect_uri parameter will be set if {@link #REDIRECT_PATH} is non-null.
+     * <p>If end_session_endpoint is defined the request will be redirected to the end_session_endpoint, the optional
+     * post_logout_redirect_uri parameter will be set if {@link #REDIRECT_PATH} is non-null.</p>
      *
-     * If the end_session_endpoint is not defined then the request will be redirected to {@link #REDIRECT_PATH} if it is a
-     * non-null value, otherwise no redirection will be done.
+     * <p>If the end_session_endpoint is not defined then the request will be redirected to {@link #REDIRECT_PATH} if it is a
+     * non-null value, otherwise no redirection will be done.</p>
      *
      * @param request the request to redirect.
      */
@@ -366,6 +371,21 @@ public void prepareRequest(ServletRequest request)
         baseRequest.setMethod(method);
     }
 
+    private boolean hasExpiredIdToken(HttpSession session)
+    {
+        if (session != null)
+        {
+            Map<String, Object> claims = (Map)session.getAttribute(CLAIMS);
+            if (claims != null)
+            {
+                long expiry = (Long)claims.get("exp");
+                long currentTimeSeconds = System.currentTimeMillis() / 1000;
+                return (currentTimeSeconds > expiry);
+            }
+        }
+        return false;
+    }
+
     @Override
     public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException
     {
@@ -381,17 +401,29 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
         if (uri == null)
             uri = URIUtil.SLASH;
 
-        mandatory |= isJSecurityCheck(uri);
-        if (!mandatory)
-            return new DeferredAuthentication(this);
+        HttpSession session = request.getSession(false);
+        if (_openIdConfiguration.isRespectIdTokenExpiry() && hasExpiredIdToken(session))
+        {
+            logoutWithoutRedirect(request);
+        }
+        else
+        {
+            // If we expired a valid authentication we do not want to defer authentication,
+            // we want to try re-authenticate the user.
+            mandatory |= isJSecurityCheck(uri);
+            if (!mandatory)
+                return new DeferredAuthentication(this);
+        }
 
         if (isErrorPage(baseRequest.getPathInContext()) && !DeferredAuthentication.isDeferred(response))
             return new DeferredAuthentication(this);
 
         try
         {
             // Get the Session.
-            HttpSession session = request.getSession();
+            if (session == null)
+                session = request.getSession(true);
+
             if (request.isRequestedSessionIdFromURL())
             {
                 sendError(request, response, "Session ID must be a cookie to support OpenID authentication");
@@ -464,10 +496,7 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
                 {
                     if (LOG.isDebugEnabled())
                         LOG.debug("auth revoked {}", authentication);
-                    synchronized (session)
-                    {
-                        session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
-                    }
+                    logoutWithoutRedirect(request);
                 }
                 else
                 {
@@ -499,10 +528,10 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
                             }
                         }
                     }
+                    if (LOG.isDebugEnabled())
+                        LOG.debug("auth {}", authentication);
+                    return authentication;
                 }
-                if (LOG.isDebugEnabled())
-                    LOG.debug("auth {}", authentication);
-                return authentication;
             }
 
             // If we can't send challenge.
@@ -513,12 +542,11 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
                 return Authentication.UNAUTHENTICATED;
             }
 
-            // Send the the challenge.
+            // Send the challenge.
             String challengeUri = getChallengeUri(baseRequest);
             if (LOG.isDebugEnabled())
                 LOG.debug("challenge {}->{}", session.getId(), challengeUri);
             baseResponse.sendRedirect(challengeUri, true);
-
             return Authentication.SEND_CONTINUE;
         }
         catch (IOException e)

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
@@ -55,6 +55,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle
     private String tokenEndpoint;
     private String endSessionEndpoint;
     private boolean authenticateNewUsers = false;
+    private boolean respectIdTokenExpiry = false;
 
     /**
      * Create an OpenID configuration for a specific OIDC provider.
@@ -275,6 +276,16 @@ public void setAuthenticateNewUsers(boolean authenticateNewUsers)
         this.authenticateNewUsers = authenticateNewUsers;
     }
 
+    public boolean isRespectIdTokenExpiry()
+    {
+        return respectIdTokenExpiry;
+    }
+
+    public void setRespectIdTokenExpiry(boolean respectIdTokenExpiry)
+    {
+        this.respectIdTokenExpiry = respectIdTokenExpiry;
+    }
+
     private static HttpClient newHttpClient()
     {
         ClientConnector connector = new ClientConnector();

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -137,12 +137,21 @@ private void validateClaims(OpenIdConfiguration configuration) throws Exception
             throw new AuthenticationException("Authorized party claim value should be the client_id");
 
         // Check that the ID token has not expired by checking the exp claim.
-        long expiry = (Long)claims.get("exp");
-        long currentTimeSeconds = (long)(System.currentTimeMillis() / 1000F);
-        if (currentTimeSeconds > expiry)
+        if (isExpired())
             throw new AuthenticationException("ID Token has expired");
     }
 
+    public boolean isExpired()
+    {
+        if (claims == null)
+            return true;
+
+        // Check that the ID token has not expired by checking the exp claim.
+        long expiry = (Long)claims.get("exp");
+        long currentTimeSeconds = System.currentTimeMillis() / 1000;
+        return (currentTimeSeconds > expiry);
+    }
+
     private void validateAudience(OpenIdConfiguration configuration) throws AuthenticationException
     {
         Object aud = claims.get("aud");

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdLoginService.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdLoginService.java
@@ -136,7 +136,9 @@ public boolean validate(UserIdentity user)
     {
         if (!(user.getUserPrincipal() instanceof OpenIdUserPrincipal))
             return false;
-
+        OpenIdUserPrincipal userPrincipal = (OpenIdUserPrincipal)user.getUserPrincipal();
+        if (configuration.isRespectIdTokenExpiry() && userPrincipal.getCredentials().isExpired())
+            return false;
         return loginService == null || loginService.validate(user);
     }