PoC: enforce upstream IdP session_expiry ceiling#117
Open
kishore7snehil wants to merge 3 commits into
Open
Conversation
…laim extraction Add a login-time lockout guard to complete_interactive_login: when the upstream IdP asserts a session_expiry ceiling already in the past at login (compared against the ID token iat with the same 30s leeway as read-time enforcement), raise the new flow-agnostic SessionExpiredError instead of persisting an already-expired session. A missing claim stays a no-op, preserving existing behavior. Generalize extract_session_expiry into extract_epoch_claim(claims, name), reused for both session_expiry and iat, and rename the ceiling predicates to is_session_ceiling_reached (read-time) and is_session_ceiling_in_past (login). Document the login rejection in the README, RetrievingData guide, and the ipsie-webapp example.
…m boundary The signature-verified, Auth0-issued ID token has already been validated upstream (the platform refuses to emit a malformed session_expiry), so the SDK reads it like every other operational claim instead of running a bespoke validator. Removes State.extract_epoch_claim and reads session_expiry/iat with a plain .get() at both extraction sites; the None guards in the ceiling comparison functions still deliver the absent/null "no ceiling" safe default. Production-reachable inputs (absent/null, clean integer) are unchanged; only unreachable malformed values change behavior, now failing closed rather than being silently accepted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds enforcement of the IPSIE
session_expiryclaim for enterprise connections.When the connection is configured to honor an upstream IdP session ceiling, Auth0
includes a
session_expiryclaim (absolute Unix seconds) in the ID token. The SDKreads it at login, stores it with the session, and enforces it on every session read.
Changes
Enforcement
session_expiryfrom userinfo / verified ID-token claims atcomplete_interactive_loginand stamps it onto the internal session state.get_user()andget_session()returnNoneonce the ceiling is reached(silent — behaves like no session, so existing redirect-to-login fires).
get_access_token()raisesAccessTokenErrorwith codesession_expired(loud — checked before serving cache or refreshing; refresh is never attempted).
Claims access
session_expiryis surfaced onUserClaims, so it can be read viaget_user()without triggering enforcement.New / changed types & errors
UserClaims.session_expiry: Optional[int]InternalStateData.session_expires_at: Optional[int]AccessTokenErrorCode.SESSION_EXPIRED = "session_expired"