OIDC sessions ignore IdP expiry and JWT with fixed 1-week lifetime #5558
Description
Current Behavior
When authenticating via OpenID Connect (Keycloak in this case), Dependency-Track successfully redirects and logs in the user. However, the session inside Dependency-Track does not respect the identity provider’s (IdP) session or token lifetime.
After login, Dependency-Track generates its own JWT with the following characteristics:
{
"sub": xxx",
"iss": "Dependency-Track",
"iat": 1757401735,
"exp": 1758006535,
"permissions": "ACCESS_MANAGEMENT,BOM_UPLOAD,POLICY_MANAGEMENT,POLICY_VIOLATION_ANALYSIS,PORTFOLIO_MANAGEMENT,PROJECT_CREATION_UPLOAD,SYSTEM_CONFIGURATION,TAG_MANAGEMENT,VIEW_BADGES,VIEW_POLICY_VIOLATION,VIEW_PORTFOLIO,VIEW_VULNERABILITY,VULNERABILITY_ANALYSIS,VULNERABILITY_MANAGEMENT",
"idp": "OPENID_CONNECT"
}
As a result, users remain logged into Dependency-Track even after the IdP session has expired, creating a mismatch between IdP session policies and Dependency-Track’s session handling.
Steps to Reproduce
- Configure Dependency-Track with Keycloak (or another OIDC provider).
- Log in with a user account.
- Inspect the Dependency-Track-issued JWT
- Observe that exp - iat = 604800 (1 week), even if Keycloak sessions are configured for shorter durations.
Expected Behavior
Dependency-Track should respect the IdP’s session/token expiration,
or provide a configuration option to align local JWT lifetimes with the IdP.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported