fix: allow expired ID token hint to end sessions

This change adds a specific error for expired ID Token hints, including too old "issued at" and "max auth age".
The error is returned VerifyIDTokenHint so that the end session handler can choose to ignore this error.

This fixes the behavior to be in line with [OpenID Connect RP-Initiated Logout 1.0, section 4](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling).

pkg/op/verifier_id_token_hint_test.go

@@ -71,21 +71,23 @@ func TestVerifyIDTokenHint(t *testing.T) {
 	tests := []struct {
 		name        string
 		tokenClaims func() (string, *oidc.IDTokenClaims)
-		wantErr     bool
+		wantClaims  bool
+		wantErr     error
 	}{
 		{
 			name:        "success",
 			tokenClaims: tu.ValidIDToken,
+			wantClaims:  true,
 		},
 		{
 			name:        "parse err",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) { return "~~~~", nil },
-			wantErr:     true,
+			wantErr:     oidc.ErrParse,
 		},
 		{
 			name:        "invalid signature",
 			tokenClaims: func() (string, *oidc.IDTokenClaims) { return tu.InvalidSignatureToken, nil },
-			wantErr:     true,
+			wantErr:     oidc.ErrSignatureUnsupportedAlg,
 		},
 		{
 			name: "wrong issuer",
@@ -96,29 +98,7 @@ func TestVerifyIDTokenHint(t *testing.T) {
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
 				)
 			},
-			wantErr: true,
-		},
-		{
-			name: "expired",
-			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return tu.NewIDToken(
-					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
-					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
-					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
-				)
-			},
-			wantErr: true,
-		},
-		{
-			name: "wrong IAT",
-			tokenClaims: func() (string, *oidc.IDTokenClaims) {
-				return tu.NewIDToken(
-					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
-					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
-					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, -time.Hour, "",
-				)
-			},
-			wantErr: true,
+			wantErr: oidc.ErrIssuerInvalid,
 		},
 		{
 			name: "wrong acr",
@@ -129,7 +109,31 @@ func TestVerifyIDTokenHint(t *testing.T) {
 					"else", tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
 				)
 			},
-			wantErr: true,
+			wantErr: oidc.ErrAcrInvalid,
+		},
+		{
+			name: "expired",
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration.Add(-time.Hour), tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
+				)
+			},
+			wantClaims: true,
+			wantErr:    IDTokenHintExpiredError{oidc.ErrExpired},
+		},
+		{
+			name: "IAT too old",
+			tokenClaims: func() (string, *oidc.IDTokenClaims) {
+				return tu.NewIDToken(
+					tu.ValidIssuer, tu.ValidSubject, tu.ValidAudience,
+					tu.ValidExpiration, tu.ValidAuthTime, tu.ValidNonce,
+					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, time.Hour, "",
+				)
+			},
+			wantClaims: true,
+			wantErr:    IDTokenHintExpiredError{oidc.ErrIatToOld},
 		},
 		{
 			name: "expired auth",
@@ -140,7 +144,8 @@ func TestVerifyIDTokenHint(t *testing.T) {
 					tu.ValidACR, tu.ValidAMR, tu.ValidClientID, tu.ValidSkew, "",
 				)
 			},
-			wantErr: true,
+			wantClaims: true,
+			wantErr:    IDTokenHintExpiredError{oidc.ErrAuthTimeToOld},
 		},
 	}
 	for _, tt := range tests {
@@ -148,14 +153,12 @@ func TestVerifyIDTokenHint(t *testing.T) {
 			token, want := tt.tokenClaims()
 
 			got, err := VerifyIDTokenHint[*oidc.IDTokenClaims](context.Background(), token, verifier)
-			if tt.wantErr {
-				assert.Error(t, err)
-				assert.Nil(t, got)
+			require.ErrorIs(t, err, tt.wantErr)
+			if tt.wantClaims {
+				assert.Equal(t, got, want, "claims")
 				return
 			}
-			require.NoError(t, err)
-			require.NotNil(t, got)
-			assert.Equal(t, got, want)
+			assert.Nil(t, got, "claims")
 		})
 	}
 }