Merge branch 'master' into fix-events-claim-check-on-backchannel-logout

samuelwei · web-flow · commit 632a744bdbe9 · 2025-05-08T11:42:05.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,12 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Added
+- Support to change the `leeway` time for JWT verification using `setLeeway` #483
+
 ### Changed
 - Stop adding ?schema=openid to userinfo endpoint URL. #449
 
 ### Fixed
 - Check existence of subject when verifying JWT #474
 - Check existence of events claim when verifying Logout Token claims #480
+- exp verification when verifying Logout Token claims #482
 
 ## [1.0.1] - 2024-09-13
 
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -539,12 +539,17 @@ public function verifyLogoutTokenClaims($claims): bool
         if (!in_array($this->clientID, $auds, true)) {
             return false;
         }
-        // Validate the iat. At this point we can return true if it is ok
-        if (isset($claims->iat) && ((is_int($claims->iat)) && ($claims->iat <= time() + $this->leeway))) {
-            return true;
+        // Validate iat exists, is an int, and is not in the future
+        if (!isset($claims->iat) || !is_int($claims->iat) || ($claims->iat >= time() + $this->leeway)) {
+            return false;
         }
 
-        return false;
+        // Validate exp exists, is an int, and is not too old
+        if (!isset($claims->exp) || !is_int($claims->exp) || ($claims->exp <= time() - $this->leeway)) {
+            return false;
+        }
+
+        return true;
     }
 
     /**
@@ -2033,6 +2038,11 @@ public function getLeeway(): int
         return $this->leeway;
     }
 
+    public function setLeeway(int $leeway)
+    {
+        $this->leeway = $leeway;
+    }
+
     /**
      * @return string
      */
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -225,6 +225,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'sid' => 'fake-client-sid',
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -238,6 +239,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'sid' => 'fake-client-sid',
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -249,6 +251,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'iss' => 'fake-issuer',
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -261,6 +264,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sub' => 'fake-client-sub',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -273,6 +277,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -285,6 +290,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ],
@@ -298,6 +304,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                 ],
                 false
             ],
@@ -307,6 +314,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time(),
+                    'exp' => time() + 300,
                     'events' => (object) [],
                 ],
                 false
@@ -316,6 +324,7 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'iss' => 'fake-issuer',
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
+                    'exp' => time() + 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ]
@@ -328,6 +337,34 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                     'aud' => [ 'fake-client-id', 'some-other-aud' ],
                     'sid' => 'fake-client-sid',
                     'iat' => time() + 301,
+                    'exp' => time() + 300,
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+            'invalid-no-exp' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'jti' => 'fake-client-jti',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+            'invalid-bad-exp' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'jti' => 'fake-client-jti',
+                    'iat' => time(),
+                    'exp' => time() - 300,
                     'events' => (object) [
                         'http://schemas.openid.net/event/backchannel-logout' => (object)[]
                     ]
@@ -336,4 +373,15 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
             ],
         ];
     }
+
+    public function testLeeway()
+    {
+        // Default leeway is 300
+        $client = new OpenIDConnectClient();
+        $this->assertEquals(300, $client->getLeeway());
+
+        // Set leeway to 100
+        $client->setLeeway(100);
+        $this->assertEquals(100, $client->getLeeway());
+    }
 }
