set the expiration time for the oidc idToken

Signed-off-by: mingfu <mingfu@alauda.io>

.changeset/nice-peaches-reflect.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend': patch
+---
+
+Set the expiration time of oidc `idToken` to be less than backstage session expiration time.

plugins/auth-backend/src/lib/session/constants.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// BACKSTAGE_SESSION_EXPIRATION the default session expiration time
+// TODO: find a less hard-coded way to access this, perhaps by reading it from the configuration.
+export const BACKSTAGE_SESSION_EXPIRATION = 3600;

plugins/auth-backend/src/lib/session/index.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export { BACKSTAGE_SESSION_EXPIRATION } from './constants';

plugins/auth-backend/src/providers/github/provider.ts

@@ -42,12 +42,10 @@ import {
   OAuthRefreshRequest,
 } from '../../lib/oauth';
 import { createAuthProviderIntegration } from '../createAuthProviderIntegration';
+import { BACKSTAGE_SESSION_EXPIRATION } from '../../lib/session';
 
 const ACCESS_TOKEN_PREFIX = 'access-token.';
 
-// TODO(Rugvip): Auth providers need a way to access this in a less hardcoded way
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
-
 type PrivateInfo = {
   refreshToken?: string;
 };

plugins/auth-backend/src/providers/microsoft/provider.ts

@@ -51,8 +51,7 @@ import { Logger } from 'winston';
 import fetch from 'node-fetch';
 import { decodeJwt } from 'jose';
 import { Profile as PassportProfile } from 'passport';
-
-const BACKSTAGE_SESSION_EXPIRATION = 3600;
+import { BACKSTAGE_SESSION_EXPIRATION } from '../../lib/session';
 
 type PrivateInfo = {
   refreshToken: string;

plugins/auth-backend/src/providers/oidc/provider.ts

@@ -48,6 +48,7 @@ import {
   commonByEmailLocalPartResolver,
   commonByEmailResolver,
 } from '../resolvers';
+import { BACKSTAGE_SESSION_EXPIRATION } from '../../lib/session';
 
 type PrivateInfo = {
   refreshToken?: string;
@@ -179,17 +180,15 @@ export class OidcAuthProvider implements OAuthHandlers {
   // Then populate the profile with it
   private async handleResult(result: OidcAuthResult): Promise<OAuthResponse> {
     const { profile } = await this.authHandler(result, this.resolverContext);
-    const response: OAuthResponse = {
-      providerInfo: {
-        idToken: result.tokenset.id_token,
-        accessToken: result.tokenset.access_token!,
-        scope: result.tokenset.scope!,
-        expiresInSeconds: result.tokenset.expires_in,
-      },
-      profile,
-    };
+
+    const expiresInSeconds =
+      result.tokenset.expires_in === undefined
+        ? BACKSTAGE_SESSION_EXPIRATION
+        : Math.min(result.tokenset.expires_in, BACKSTAGE_SESSION_EXPIRATION);
+
+    let backstageIdentity = undefined;
     if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver(
+      backstageIdentity = await this.signInResolver(
         {
           result,
           profile,
@@ -198,7 +197,16 @@ export class OidcAuthProvider implements OAuthHandlers {
       );
     }
 
-    return response;
+    return {
+      backstageIdentity,
+      providerInfo: {
+        idToken: result.tokenset.id_token,
+        accessToken: result.tokenset.access_token!,
+        scope: result.tokenset.scope!,
+        expiresInSeconds,
+      },
+      profile,
+    };
   }
 }
 

plugins/auth-backend/src/service/router.ts

@@ -37,6 +37,7 @@ import passport from 'passport';
 import { Minimatch } from 'minimatch';
 import { CatalogAuthResolverContext } from '../lib/resolvers';
 import { AuthDatabase } from '../database/AuthDatabase';
+import { BACKSTAGE_SESSION_EXPIRATION } from '../lib/session';
 
 /** @public */
 export type ProviderFactories = { [s: string]: AuthProviderFactory };
@@ -77,7 +78,7 @@ export async function createRouter(
     logger,
     database: authDb,
   });
-  const keyDurationSeconds = 3600;
+  const keyDurationSeconds = BACKSTAGE_SESSION_EXPIRATION;
 
   const tokenIssuer = new TokenFactory({
     issuer: authUrl,