authorize: set JWT to expire after 5 minutes (#1980)

* authorize: set JWT to expire after 5 minutes * use lesser of 5 minutes or id token expiration * add test for expires at
2025-05-29 08:57:18 +02:00 · 2021-03-15 07:38:32 -06:00 · 2021-03-15 07:38:32 -06:00 · ae7626df3e
commit ae7626df3e
parent 07e150a5af
2 changed files with 10 additions and 2 deletions
--- a/authorize/evaluator/opa/policy/authz.rego
+++ b/authorize/evaluator/opa/policy/authz.rego
@ -2,6 +2,9 @@ package pomerium.authz

 default allow = false

+# 5 minutes from now in seconds
+five_minutes := (time.now_ns() / 1e9) + (60 * 5)
+
 route_policy_idx := first_allowed_route_policy_idx(input.http.url)

 route_policy := data.route_policies[route_policy_idx]
@ -166,7 +169,9 @@ jwt_payload_jti = v {
 }

 jwt_payload_exp = v {
-	v = session.expires_at.seconds
+	v = min([five_minutes, session.expires_at.seconds])
+} else = v {
+	v = five_minutes
 } else = null {
 	true
 }
--- a/authorize/evaluator/opa_test.go
+++ b/authorize/evaluator/opa_test.go
@ -150,6 +150,8 @@ func TestOPA(t *testing.T) {
 			var claims M
 			err = authJWT.Claims(publicJWK, &claims)
 			require.NoError(t, err)
+			assert.LessOrEqual(t, claims["exp"], float64(time.Now().Add(time.Minute*6).Unix()),
+				"JWT should expire within 5 minutes, but got: %v", claims["exp"])
 			return claims
 		}

@ -174,6 +176,7 @@ func TestOPA(t *testing.T) {
 					Email: "group1@example.com",
 				},
 			)
+			delete(payload, "exp")
 			assert.Equal(t, M{
 				"aud":    "from.example.com",
 				"iss":    "authenticate.example.com",
@ -212,8 +215,8 @@ func TestOPA(t *testing.T) {
 				"aud":    "from.example.com",
 				"iss":    "authenticate.example.com",
 				"jti":    "session1",
-				"exp":    1609462861.0,
 				"iat":    1612141261.0,
+				"exp":    1609462861.0,
 				"sub":    "user1",
 				"user":   "user1",
 				"email":  "a@example.com",