Skip to content

Commit bc719cc

Browse files
samuelweisamuelwei
authored
fix: verfify exp claim on backchannel logout token (#482)
* Fix missing exp validation on backchannel logout * Update changelog
1 parent 0ee87cc commit bc719cc

File tree

3 files changed

+47
-4
lines changed

3 files changed

+47
-4
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1414

1515
### Fixed
1616
- Check existence of subject when verifying JWT #474
17+
- exp verification when verifying Logout Token claims #482
1718

1819
## [1.0.1] - 2024-09-13
1920

src/OpenIDConnectClient.php

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -536,12 +536,17 @@ public function verifyLogoutTokenClaims($claims): bool
536536
if (!in_array($this->clientID, $auds, true)) {
537537
return false;
538538
}
539-
// Validate the iat. At this point we can return true if it is ok
540-
if (isset($claims->iat) && ((is_int($claims->iat)) && ($claims->iat <= time() + $this->leeway))) {
541-
return true;
539+
// Validate iat exists, is an int, and is not in the future
540+
if (!isset($claims->iat) || !is_int($claims->iat) || ($claims->iat >= time() + $this->leeway)) {
541+
return false;
542542
}
543543

544-
return false;
544+
// Validate exp exists, is an int, and is not too old
545+
if (!isset($claims->exp) || !is_int($claims->exp) || ($claims->exp <= time() - $this->leeway)) {
546+
return false;
547+
}
548+
549+
return true;
545550
}
546551

547552
/**

tests/OpenIDConnectClientTest.php

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
225225
'sid' => 'fake-client-sid',
226226
'sub' => 'fake-client-sub',
227227
'iat' => time(),
228+
'exp' => time() + 300,
228229
'events' => (object) [
229230
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
230231
],
@@ -238,6 +239,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
238239
'sid' => 'fake-client-sid',
239240
'sub' => 'fake-client-sub',
240241
'iat' => time(),
242+
'exp' => time() + 300,
241243
'events' => (object) [
242244
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
243245
],
@@ -249,6 +251,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
249251
'iss' => 'fake-issuer',
250252
'aud' => [ 'fake-client-id', 'some-other-aud' ],
251253
'iat' => time(),
254+
'exp' => time() + 300,
252255
'events' => (object) [
253256
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
254257
],
@@ -261,6 +264,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
261264
'aud' => [ 'fake-client-id', 'some-other-aud' ],
262265
'sub' => 'fake-client-sub',
263266
'iat' => time(),
267+
'exp' => time() + 300,
264268
'events' => (object) [
265269
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
266270
],
@@ -273,6 +277,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
273277
'aud' => [ 'fake-client-id', 'some-other-aud' ],
274278
'sid' => 'fake-client-sid',
275279
'iat' => time(),
280+
'exp' => time() + 300,
276281
'events' => (object) [
277282
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
278283
],
@@ -285,6 +290,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
285290
'aud' => [ 'fake-client-id', 'some-other-aud' ],
286291
'sid' => 'fake-client-sid',
287292
'iat' => time(),
293+
'exp' => time() + 300,
288294
'events' => (object) [
289295
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
290296
],
@@ -298,6 +304,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
298304
'aud' => [ 'fake-client-id', 'some-other-aud' ],
299305
'sid' => 'fake-client-sid',
300306
'iat' => time(),
307+
'exp' => time() + 300,
301308
'nonce' => 'must-not-be-set'
302309
],
303310
false
@@ -308,6 +315,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
308315
'aud' => [ 'fake-client-id', 'some-other-aud' ],
309316
'sid' => 'fake-client-sid',
310317
'iat' => time(),
318+
'exp' => time() + 300,
311319
'events' => (object) [],
312320
'nonce' => 'must-not-be-set'
313321
],
@@ -318,6 +326,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
318326
'iss' => 'fake-issuer',
319327
'aud' => [ 'fake-client-id', 'some-other-aud' ],
320328
'sid' => 'fake-client-sid',
329+
'exp' => time() + 300,
321330
'events' => (object) [
322331
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
323332
]
@@ -330,6 +339,34 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
330339
'aud' => [ 'fake-client-id', 'some-other-aud' ],
331340
'sid' => 'fake-client-sid',
332341
'iat' => time() + 301,
342+
'exp' => time() + 300,
343+
'events' => (object) [
344+
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
345+
]
346+
],
347+
false
348+
],
349+
'invalid-no-exp' => [
350+
(object)[
351+
'iss' => 'fake-issuer',
352+
'aud' => [ 'fake-client-id', 'some-other-aud' ],
353+
'sid' => 'fake-client-sid',
354+
'jti' => 'fake-client-jti',
355+
'iat' => time(),
356+
'events' => (object) [
357+
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
358+
]
359+
],
360+
false
361+
],
362+
'invalid-bad-exp' => [
363+
(object)[
364+
'iss' => 'fake-issuer',
365+
'aud' => [ 'fake-client-id', 'some-other-aud' ],
366+
'sid' => 'fake-client-sid',
367+
'jti' => 'fake-client-jti',
368+
'iat' => time(),
369+
'exp' => time() - 300,
333370
'events' => (object) [
334371
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
335372
]

0 commit comments

Comments
 (0)