Merge commit from fork

internal/api/oidc/integration_test/token_jwt_profile_test.go

@@ -21,7 +21,9 @@ import (
 )
 
 func TestServer_JWTProfile(t *testing.T) {
-	user, name, keyData, err := Instance.CreateOIDCJWTProfileClient(CTX)
+	user, name, keyData, err := Instance.CreateOIDCJWTProfileClient(CTX, time.Hour)
+	require.NoError(t, err)
+	_, _, keyDataExpired, err := Instance.CreateOIDCJWTProfileClient(CTX, 10*time.Second)
 	require.NoError(t, err)
 
 	type claims struct {
@@ -104,6 +106,12 @@ func TestServer_JWTProfile(t *testing.T) {
 				resourceOwnerPrimaryDomain: Instance.DefaultOrg.PrimaryDomain,
 			},
 		},
+		{
+			name:    "key expired",
+			keyData: keyDataExpired,
+			scope:   []string{oidc.ScopeOpenID},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -123,6 +131,9 @@ func TestServer_JWTProfile(t *testing.T) {
 				},
 				time.Minute, time.Second,
 			)
+			if tt.wantErr {
+				return
+			}
 
 			provider, err := rp.NewRelyingPartyOIDC(CTX, Instance.OIDCIssuer(), "", "", redirectURI, tt.scope)
 			require.NoError(t, err)

internal/integration/oidc.go

@@ -438,7 +438,7 @@ func (i *Instance) CreateOIDCCredentialsClientInactive(ctx context.Context) (mac
 	return machine, name, secret.GetClientId(), secret.GetClientSecret(), nil
 }
 
-func (i *Instance) CreateOIDCJWTProfileClient(ctx context.Context) (machine *management.AddMachineUserResponse, name string, keyData []byte, err error) {
+func (i *Instance) CreateOIDCJWTProfileClient(ctx context.Context, keyLifetime time.Duration) (machine *management.AddMachineUserResponse, name string, keyData []byte, err error) {
 	name = gofakeit.Username()
 	machine, err = i.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{
 		Name:            name,
@@ -451,7 +451,7 @@ func (i *Instance) CreateOIDCJWTProfileClient(ctx context.Context) (machine *man
 	keyResp, err := i.Client.Mgmt.AddMachineKey(ctx, &management.AddMachineKeyRequest{
 		UserId:         machine.GetUserId(),
 		Type:           authn.KeyType_KEY_TYPE_JSON,
-		ExpirationDate: timestamppb.New(time.Now().Add(time.Hour)),
+		ExpirationDate: timestamppb.New(time.Now().Add(keyLifetime)),
 	})
 	if err != nil {
 		return nil, "", nil, err

internal/query/authn_key_user.sql

@@ -3,9 +3,10 @@ from projections.authn_keys2 k
 join projections.users14 u
 	on k.instance_id = u.instance_id
 	and k.identifier = u.id
-join projections.users14_machines m 
+join projections.users14_machines m
 	on u.instance_id = m.instance_id
 	and u.id = m.user_id
 where k.instance_id = $1
 	and k.id = $2
-	and u.id = $3;
+	and u.id = $3
+    and k.expiration > current_timestamp;