## Problem Currently, our OIDC step-up authentication implementation doesn't handle session expiration. Without proper expiration handling, step-up authentication sessions might remain valid longer than intended by the identity provider, creating a potential security risk. Users might retain elevated privileges beyond the timeframe authorized by the identity provider. Fortunately, the identity provider responds with the ID token claim `exp` (expiration time) when the user has successfully fulfilled the step-up auth challenge. Unfortunately, this ID token claim is currently ignored by the current step-up auth implementation introduced in !171643+. ## Proposal Implement a mechanism to expire step-up authentication sessions based on expiration information returned by the identity provider: 1. During the OIDC authentication flow, extract expiration information from the identity provider's response: * Look for [standard OIDC ID claims](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) like `exp` (expiration time) in the ID token * Check for custom claims that might indicate expiration intervals (<= this could be done in a separate MR) 2. Store the calculated expiration timestamp with the user's step-up authentication session - This could be integrated in the step-up auth session, see [`Gitlab::Auth::Oidc::StepUpAuthenticationFlow`](https://gitlab.com/gitlab-community/gitlab-org/gitlab/-/blob/d5b9612a3e7e50abd248e6f608691cc8ea2171b2/lib/gitlab/auth/oidc/step_up_authentication_flow.rb#L1) 4. Add a validation check before allowing access to protected resources: * Compare current time against the stored expiration timestamp * If expired, require the user to perform step-up authentication again 4. Implement a background job to clean up expired step-up sessions (<= to be discussed) 5. Add logging for security audit purposes when sessions expire This implementation will ensure that elevated access privileges granted through step-up authentication align with the identity provider's security policies and expiration requirements. ## Implemenation plan - [ ] @gerardo-navarro Implement the expiration validation and logic => !200566+ - [ ] @gerardo-navarro Evaluate and implement if we need a cron job for expiring the session state of users - [ ] @gerardo-navarro Implement the clock skew tolerance suggested by the OIDC specification - [ ] @gerardo-navarro Extend the documentation to inform users that token expriation is considered