From ff4855dcbe784eefa34e5f3298ebc071e10ed208 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 8 Dec 2025 17:38:35 -0800 Subject: sts: limit session duration to incoming token's exp claim (#7670) * sts: limit session duration to incoming token's exp claim This fixes the issue where AssumeRoleWithWebIdentity would issue sessions that outlive the source identity token's expiration. For use cases like GitLab CI Jobs where the ID Token has an exp claim limited to the CI job's timeout, the STS session should not exceed that expiration. Changes: - Add TokenExpiration field to ExternalIdentity struct - Extract exp/iat/nbf claims in OIDC provider's ValidateToken - Pass token expiration from Authenticate to ExternalIdentity - Modify calculateSessionDuration to cap at source token's exp - Add comprehensive tests for the new behavior Fixes: https://github.com/seaweedfs/seaweedfs/discussions/7653 * refactor: reduce duplication in time claim extraction Use a loop over claim names instead of repeating the same extraction logic three times for exp, iat, and nbf claims. * address review: add defense-in-depth for expired tokens - Handle already-expired tokens defensively with 1 minute minimum duration - Enforce MaxSessionLength from config as additional cap - Fix potential nil dereference in test mock - Add test case for expired token scenario * remove issue reference from test * fix: remove early return to ensure MaxSessionLength is always checked --- weed/iam/providers/provider.go | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'weed/iam/providers/provider.go') diff --git a/weed/iam/providers/provider.go b/weed/iam/providers/provider.go index 5c1deb03d..3b7affc8e 100644 --- a/weed/iam/providers/provider.go +++ b/weed/iam/providers/provider.go @@ -47,6 +47,10 @@ type ExternalIdentity struct { // Provider is the name of the identity provider Provider string `json:"provider"` + + // TokenExpiration is the expiration time of the source identity token + // This is used to limit session duration to not exceed the token's exp claim + TokenExpiration *time.Time `json:"tokenExpiration,omitempty"` } // Validate validates the external identity structure -- cgit v1.2.3