Merge branch 'master' into SamuelWei-verify-iss

samuelwei · web-flow · commit 2e6ddd91f286 · 2025-05-08T11:39:26.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,12 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Added
+- Support to change the `leeway` time for JWT verification using `setLeeway` #483
+
 ### Changed
 - Stop adding ?schema=openid to userinfo endpoint URL. #449
 
 ### Fixed
 - Check existence of subject when verifying JWT #474
 - Check existence of issuer before validating #477
+- exp verification when verifying Logout Token claims #482
 
 ## [1.0.1] - 2024-09-13
 
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -536,12 +536,17 @@ public function verifyLogoutTokenClaims($claims): bool
         if (!in_array($this->clientID, $auds, true)) {
             return false;
         }
-        // Validate the iat. At this point we can return true if it is ok
-        if (isset($claims->iat) && ((is_int($claims->iat)) && ($claims->iat <= time() + $this->leeway))) {
-            return true;
+        // Validate iat exists, is an int, and is not in the future
+        if (!isset($claims->iat) || !is_int($claims->iat) || ($claims->iat >= time() + $this->leeway)) {
+            return false;
         }
 
-        return false;
+        // Validate exp exists, is an int, and is not too old
+        if (!isset($claims->exp) || !is_int($claims->exp) || ($claims->exp <= time() - $this->leeway)) {
+            return false;
+        }
+
+        return true;
     }
 
     /**
@@ -2030,6 +2035,11 @@ public function getLeeway(): int
         return $this->leeway;
     }
 
+    public function setLeeway(int $leeway)
+    {
+        $this->leeway = $leeway;
+    }
+
     /**
      * @return string
      */
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -232,6 +232,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'sid' => 'fake-client-sid',
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -245,6 +246,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'sid' => 'fake-client-sid',
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -256,6 +258,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'iss' => 'fake-issuer',
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -268,6 +271,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -280,6 +284,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -292,6 +297,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -305,6 +311,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'nonce' => 'must-not-be-set'
                 ],
                 false
@@ -315,6 +322,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [],
                     'nonce' => 'must-not-be-set'
                 ],
@@ -325,6 +333,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'iss' => 'fake-issuer',
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ]
@@ -337,6 +346,34 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time() + 301,
+                    'exp' => time() + 300,
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+            'invalid-no-exp' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'jti' => 'fake-client-jti',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+            'invalid-bad-exp' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'jti' => 'fake-client-jti',
+                    'iat' => time(),
+                    'exp' => time() - 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ]
@@ -357,4 +394,15 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
             ],
         ];
     }
+
+    public function testLeeway()
+    {
+        // Default leeway is 300
+        $client = new OpenIDConnectClient();
+        $this->assertEquals(300, $client->getLeeway());
+
+        // Set leeway to 100
+        $client->setLeeway(100);
+        $this->assertEquals(100, $client->getLeeway());
+    }
 }
