Allow configuring OIDC ID token ttl using TokenSettings

Closes spring-projectsgh-1689

Author: bytestreme

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/ConfigurationSettingNames.java

@@ -25,6 +25,7 @@
  * The names for all the configuration settings.
  *
  * @author Joe Grandja
+ * @author Shyngys Sapraliyev
  * @since 0.2.0
  */
 public final class ConfigurationSettingNames {
@@ -223,6 +224,11 @@ public static final class Token {
 		public static final String ID_TOKEN_SIGNATURE_ALGORITHM = TOKEN_SETTINGS_NAMESPACE
 			.concat("id-token-signature-algorithm");
 
+		/**
+		 * Set the time-to-live for the {@link OidcIdToken ID Token}.
+		 */
+		public static final String ID_TOKEN_TIME_TO_LIVE = TOKEN_SETTINGS_NAMESPACE.concat("id-token-time-to-live");
+
 		/**
 		 * Set to {@code true} if access tokens must be bound to the client
 		 * {@code X509Certificate} received during client authentication when using the

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/TokenSettings.java

@@ -26,6 +26,7 @@
  * A facility for token configuration settings.
  *
  * @author Joe Grandja
+ * @author Shyngys Sapraliyev
  * @since 0.0.2
  * @see AbstractSettings
  * @see ConfigurationSettingNames.Token
@@ -102,6 +103,15 @@ public SignatureAlgorithm getIdTokenSignatureAlgorithm() {
 		return getSetting(ConfigurationSettingNames.Token.ID_TOKEN_SIGNATURE_ALGORITHM);
 	}
 
+	/**
+	 * Returns the time-to-live for the {@link OidcIdToken ID Token}. The default is 30
+	 * minutes.
+	 * @return the time-to-live for the {@link OidcIdToken ID Token}
+	 */
+	public Duration getIdTokenTimeToLive() {
+		return getSetting(ConfigurationSettingNames.Token.ID_TOKEN_TIME_TO_LIVE);
+	}
+
 	/**
 	 * Returns {@code true} if access tokens must be bound to the client
 	 * {@code X509Certificate} received during client authentication when using the
@@ -127,6 +137,7 @@ public static Builder builder() {
 			.reuseRefreshTokens(true)
 			.refreshTokenTimeToLive(Duration.ofMinutes(60))
 			.idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
+			.idTokenTimeToLive(Duration.ofMinutes(30))
 			.x509CertificateBoundAccessTokens(false);
 	}
 
@@ -238,6 +249,18 @@ public Builder idTokenSignatureAlgorithm(SignatureAlgorithm idTokenSignatureAlgo
 			return setting(ConfigurationSettingNames.Token.ID_TOKEN_SIGNATURE_ALGORITHM, idTokenSignatureAlgorithm);
 		}
 
+		/**
+		 * Set the time-to-live for the {@link OidcIdToken ID Token}. Must be greater than
+		 * {@code Duration.ZERO}.
+		 * @param idTokenTimeToLive the time-to-live for the {@link OidcIdToken ID Token}
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder idTokenTimeToLive(Duration idTokenTimeToLive) {
+			Assert.notNull(idTokenTimeToLive, "idTokenTimeToLive cannot be null");
+			Assert.isTrue(idTokenTimeToLive.getSeconds() > 0, "idTokenTimeToLive must be greater than Duration.ZERO");
+			return setting(ConfigurationSettingNames.Token.ID_TOKEN_TIME_TO_LIVE, idTokenTimeToLive);
+		}
+
 		/**
 		 * Set to {@code true} if access tokens must be bound to the client
 		 * {@code X509Certificate} received during client authentication when using the

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

@@ -16,7 +16,6 @@
 package org.springframework.security.oauth2.server.authorization.token;
 
 import java.time.Instant;
-import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 import java.util.Date;
 import java.util.UUID;
@@ -49,6 +48,7 @@
  * {@link OAuth2AccessToken} or {@link OidcIdToken}.
  *
  * @author Joe Grandja
+ * @author Shyngys Sapraliyev
  * @since 0.2.3
  * @see OAuth2TokenGenerator
  * @see Jwt
@@ -97,9 +97,9 @@ public Jwt generate(OAuth2TokenContext context) {
 		Instant issuedAt = Instant.now();
 		Instant expiresAt;
 		JwsAlgorithm jwsAlgorithm = SignatureAlgorithm.RS256;
+
 		if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
-			// TODO Allow configuration for ID Token time-to-live
-			expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
+			expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getIdTokenTimeToLive());
 			if (registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm() != null) {
 				jwsAlgorithm = registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm();
 			}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/settings/TokenSettingsTests.java

@@ -28,20 +28,22 @@
  * Tests for {@link TokenSettings}.
  *
  * @author Joe Grandja
+ * @author Shyngys Sapraliyev
  */
 public class TokenSettingsTests {
 
 	@Test
 	public void buildWhenDefaultThenDefaultsAreSet() {
 		TokenSettings tokenSettings = TokenSettings.builder().build();
-		assertThat(tokenSettings.getSettings()).hasSize(8);
+		assertThat(tokenSettings.getSettings()).hasSize(9);
 		assertThat(tokenSettings.getAuthorizationCodeTimeToLive()).isEqualTo(Duration.ofMinutes(5));
 		assertThat(tokenSettings.getAccessTokenTimeToLive()).isEqualTo(Duration.ofMinutes(5));
 		assertThat(tokenSettings.getAccessTokenFormat()).isEqualTo(OAuth2TokenFormat.SELF_CONTAINED);
 		assertThat(tokenSettings.getDeviceCodeTimeToLive()).isEqualTo(Duration.ofMinutes(5));
 		assertThat(tokenSettings.isReuseRefreshTokens()).isTrue();
 		assertThat(tokenSettings.getRefreshTokenTimeToLive()).isEqualTo(Duration.ofMinutes(60));
 		assertThat(tokenSettings.getIdTokenSignatureAlgorithm()).isEqualTo(SignatureAlgorithm.RS256);
+		assertThat(tokenSettings.getIdTokenTimeToLive()).isEqualTo(Duration.ofMinutes(30));
 		assertThat(tokenSettings.isX509CertificateBoundAccessTokens()).isFalse();
 	}
 
@@ -142,6 +144,31 @@ public void refreshTokenTimeToLiveWhenNullOrZeroOrNegativeThenThrowIllegalArgume
 			.isEqualTo("refreshTokenTimeToLive must be greater than Duration.ZERO");
 	}
 
+	@Test
+	public void idTokenTimeToLiveWhenProvidedThenSet() {
+		Duration idTokenTimeToLive = Duration.ofMinutes(15);
+		TokenSettings tokenSettings = TokenSettings.builder().idTokenTimeToLive(idTokenTimeToLive).build();
+		assertThat(tokenSettings.getIdTokenTimeToLive()).isEqualTo(idTokenTimeToLive);
+	}
+
+	@Test
+	public void idTokenTimeToLiveWhenNullOrZeroOrNegativeThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> TokenSettings.builder().idTokenTimeToLive(null))
+			.isInstanceOf(IllegalArgumentException.class)
+			.extracting(Throwable::getMessage)
+			.isEqualTo("idTokenTimeToLive cannot be null");
+
+		assertThatThrownBy(() -> TokenSettings.builder().idTokenTimeToLive(Duration.ZERO))
+			.isInstanceOf(IllegalArgumentException.class)
+			.extracting(Throwable::getMessage)
+			.isEqualTo("idTokenTimeToLive must be greater than Duration.ZERO");
+
+		assertThatThrownBy(() -> TokenSettings.builder().idTokenTimeToLive(Duration.ofSeconds(-10)))
+			.isInstanceOf(IllegalArgumentException.class)
+			.extracting(Throwable::getMessage)
+			.isEqualTo("idTokenTimeToLive must be greater than Duration.ZERO");
+	}
+
 	@Test
 	public void idTokenSignatureAlgorithmWhenProvidedThenSet() {
 		SignatureAlgorithm idTokenSignatureAlgorithm = SignatureAlgorithm.RS512;
@@ -163,7 +190,7 @@ public void settingWhenCustomThenSet() {
 			.setting("name1", "value1")
 			.settings((settings) -> settings.put("name2", "value2"))
 			.build();
-		assertThat(tokenSettings.getSettings()).hasSize(10);
+		assertThat(tokenSettings.getSettings()).hasSize(11);
 		assertThat(tokenSettings.<String>getSetting("name1")).isEqualTo("value1");
 		assertThat(tokenSettings.<String>getSetting("name2")).isEqualTo("value2");
 	}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java

@@ -65,6 +65,7 @@
  * Tests for {@link JwtGenerator}.
  *
  * @author Joe Grandja
+ * @author Shyngys Sapraliyev
  */
 public class JwtGeneratorTests {
 
@@ -322,7 +323,7 @@ private void assertGeneratedTokenType(OAuth2TokenContext tokenContext) {
 			expiresAt = issuedAt.plus(tokenContext.getRegisteredClient().getTokenSettings().getAccessTokenTimeToLive());
 		}
 		else {
-			expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
+			expiresAt = issuedAt.plus(tokenContext.getRegisteredClient().getTokenSettings().getIdTokenTimeToLive());
 		}
 		assertThat(jwtClaimsSet.getIssuedAt()).isBetween(issuedAt.minusSeconds(1), issuedAt.plusSeconds(1));
 		assertThat(jwtClaimsSet.getExpiresAt()).isBetween(expiresAt.minusSeconds(1), expiresAt.plusSeconds(1));