id tokens always expire, addresses #416

openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java

@@ -42,6 +42,8 @@ import javax.persistence.Id;
 import javax.persistence.JoinColumn;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
+import javax.persistence.PrePersist;
+import javax.persistence.PreUpdate;
 import javax.persistence.Table;
 import javax.persistence.Temporal;
 import javax.persistence.TemporalType;
@@ -65,6 +67,11 @@ import org.springframework.security.oauth2.provider.ClientDetails;
 })
 public class ClientDetailsEntity implements ClientDetails {
 
+	/**
+	 * 
+	 */
+    private static final int DEFAULT_ID_TOKEN_VALIDITY_SECONDS = 600;
+
 	private static final long serialVersionUID = -1617727085733786296L;
 
 	private Long id;
@@ -213,6 +220,15 @@ public class ClientDetailsEntity implements ClientDetails {
 
 	}
 
+	@PrePersist
+	@PreUpdate
+	private void prePersist() {
+		// make sure that ID tokens always time out, default to 5 minutes
+		if (getIdTokenValiditySeconds() == null) {
+			setIdTokenValiditySeconds(DEFAULT_ID_TOKEN_VALIDITY_SECONDS);
+		}
+	}	
+	
 	/**
 	 * @return the id
 	 */
@@ -270,6 +286,8 @@ public class ClientDetailsEntity implements ClientDetails {
 	}
 
 	/**
+	 * Number of seconds ID token is valid for. MUST be a positive integer, can not be null.
+	 * 
 	 * @return the idTokenValiditySeconds
 	 */
 	@Basic

openid-connect-server/src/main/resources/db/tables/hsql_database_tables.sql

@@ -78,7 +78,7 @@ CREATE TABLE IF NOT EXISTS client_details (
 	reuse_refresh_tokens BOOLEAN NOT NULL DEFAULT true,
 	dynamically_registered BOOLEAN NOT NULL DEFAULT false,
 	allow_introspection BOOLEAN NOT NULL DEFAULT false,
-	id_token_validity_seconds BIGINT,
+	id_token_validity_seconds BIGINT NOT NULL DEFAULT 600,
 	
 	client_id VARCHAR(256),
 	client_secret VARCHAR(2048),

openid-connect-server/src/main/resources/db/tables/mysql_database_tables.sql

@@ -78,7 +78,7 @@ CREATE TABLE IF NOT EXISTS client_details (
 	reuse_refresh_tokens BOOLEAN NOT NULL DEFAULT 1,
 	dynamically_registered BOOLEAN NOT NULL DEFAULT 0,
 	allow_introspection BOOLEAN NOT NULL DEFAULT 0,
-	id_token_validity_seconds BIGINT,
+	id_token_validity_seconds BIGINT NOT NULL DEFAULT 600,
 	
 	client_id VARCHAR(256),
 	client_secret VARCHAR(2048),

openid-connect-server/src/main/webapp/resources/js/client.js

@@ -293,11 +293,6 @@ var ClientFormView = Backbone.View.extend({
         	$("#access-token-timeout-unit", this.$el).prop('disabled',!$("#access-token-timeout-unit", this.$el).prop('disabled')); 
         	document.getElementById("access-token-timeout-time").value = '';
         	},
-        "click #disableIDTokenTimeout" : function() { 
-        	$("#id-token-timeout-time", this.$el).prop('disabled',!$("#id-token-timeout-time", this.$el).prop('disabled')); 
-        	$("#id-token-timeout-unit", this.$el).prop('disabled',!$("#id-token-timeout-unit", this.$el).prop('disabled')); 
-        	document.getElementById("id-token-timeout-time").value = ''; 
-        	},
         "click #disableRefreshTokenTimeout" : function() { 
         	$("#refresh-token-timeout-time", this.$el).prop('disabled',!$("#refresh-token-timeout-time", this.$el).prop('disabled'));
         	$("#refresh-token-timeout-unit", this.$el).prop('disabled',!$("#refresh-token-timeout-unit", this.$el).prop('disabled')); 
@@ -449,10 +444,7 @@ var ClientFormView = Backbone.View.extend({
         	accessTokenValiditySeconds = this.getFormTokenNumberValue($('#accessTokenValidityTime input[type=text]').val(), $('#accessTokenValidityTime select').val()); 
         }
         
-        var idTokenValiditySeconds = null;
+        var idTokenValiditySeconds = this.getFormTokenNumberValue($('#idTokenValidityTime input[type=text]').val(), $('#idTokenValidityTime select').val()); 
-        if (!$('disableIDTokenTimeout').is(':checked')) {
-        	idTokenValiditySeconds = this.getFormTokenNumberValue($('#idTokenValidityTime input[type=text]').val(), $('#idTokenValidityTime select').val()); 
-        }
         
         var refreshTokenValiditySeconds = null;
         if ($('#allowRefresh').is(':checked')) {
@@ -518,10 +510,6 @@ var ClientFormView = Backbone.View.extend({
             attrs["refreshTokenValiditySeconds"] = null;
         }
 
-        if ($('#disableIDTokenTimeout').is(':checked')) {
-             attrs["idTokenValiditySeconds"] = null;
-        }
-
         if ($('#disableAccessTokenTimeout').is(':checked')) {
             attrs["accessTokenValiditySeconds"] = null;
         }
@@ -637,11 +625,6 @@ var ClientFormView = Backbone.View.extend({
             $("#refresh-token-timeout-unit", this.$el).prop('disabled',true);
         }
 
-        if (this.model.get("idTokenValiditySeconds") == null) {
-            $("#id-token-timeout-time", this.$el).prop('disabled',true);
-            $("#id-token-timeout-unit", this.$el).prop('disabled',true);
-        }
-
         // toggle other dynamic fields
         this.toggleRequireClientSecret();
         this.previewLogo();

openid-connect-server/src/main/webapp/resources/template/client.html

@@ -376,11 +376,6 @@
             <div class="control-group" id="idTokenValidityTime">
                 <label class="control-label">ID Token Timeout</label>
                 <div class="controls">
-					<div>
-						<label class="checkbox">
-                        	<input type="checkbox" id="disableIDTokenTimeout" <%=(idTokenValiditySeconds == null ? 'checked' : '')%>/> ID Tokens do not time out
-						</label>
-					</div>
                     <div>
                         <input type="text" class="" value="<%=(idTokenValiditySeconds == null ? '' : idTokenValiditySeconds)%>" id="id-token-timeout-time" size="16" style="width:8em;">
 						<select id="id-token-timeout-unit" style="width:8em;">