authorize: set JWT to expire after 5 minutes (#1980)

* authorize: set JWT to expire after 5 minutes

* use lesser of 5 minutes or id token expiration

* add test for expires at

authorize/evaluator/opa/policy/authz.rego

@@ -2,6 +2,9 @@ package pomerium.authz
 
 default allow = false
 
+# 5 minutes from now in seconds
+five_minutes := (time.now_ns() / 1e9) + (60 * 5)
+
 route_policy_idx := first_allowed_route_policy_idx(input.http.url)
 
 route_policy := data.route_policies[route_policy_idx]
@@ -166,7 +169,9 @@ jwt_payload_jti = v {
 }
 
 jwt_payload_exp = v {
-	v = session.expires_at.seconds
+	v = min([five_minutes, session.expires_at.seconds])
+} else = v {
+	v = five_minutes
 } else = null {
 	true
 }

authorize/evaluator/opa_test.go

@@ -150,6 +150,8 @@ func TestOPA(t *testing.T) {
 			var claims M
 			err = authJWT.Claims(publicJWK, &claims)
 			require.NoError(t, err)
+			assert.LessOrEqual(t, claims["exp"], float64(time.Now().Add(time.Minute*6).Unix()),
+				"JWT should expire within 5 minutes, but got: %v", claims["exp"])
 			return claims
 		}
 
@@ -174,6 +176,7 @@ func TestOPA(t *testing.T) {
 					Email: "group1@example.com",
 				},
 			)
+			delete(payload, "exp")
 			assert.Equal(t, M{
 				"aud":    "from.example.com",
 				"iss":    "authenticate.example.com",
@@ -212,8 +215,8 @@ func TestOPA(t *testing.T) {
 				"aud":    "from.example.com",
 				"iss":    "authenticate.example.com",
 				"jti":    "session1",
-				"exp":    1609462861.0,
 				"iat":    1612141261.0,
+				"exp":    1609462861.0,
 				"sub":    "user1",
 				"user":   "user1",
 				"email":  "a@example.com",