fix: add optional exp claim to back-channel logout token

[ktsu2i]

The OpenID Connect Back-Channel Logout 1.0 specification requires the exp claim in logout tokens, but Hydra currently omits it.

This adds a new ttl.logout_token configuration option. When set (e.g. 2m), the exp claim is included in the logout token.

When unset or 0, the current behavior is preserved for backward compatibility.

Related issue(s)

#4035

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.com) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

Summary by CodeRabbit

• New Features

  • Logout tokens can optionally include an expiration (exp) claim controlled by the ttl.logout_token configuration; when unset or zero, tokens remain backward-compatible (no exp).

• Tests

  • Added tests verifying both unset and configured logout token lifespans, asserting presence/absence of exp and correct iat/exp timing.

• Style

  • Minor import/formatting housekeeping across utility packages.

[ktsu2i]

Hi Hydra team ( @aeneasr ),

There's two CI failures, but I’d appreciate it if you could take a look at this PR when you get a chance.
I’d love to get your thoughts on whether the overall approach makes sense.

Thanks!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 374d76c9-efb0-4a22-b631-f0549076790f

📥 Commits

Reviewing files that changed from the base of the PR and between 4b1d68b and c5cd96a.

📒 Files selected for processing (9)

• consent/strategy_default.go
• consent/strategy_logout_test.go
• driver/config/provider.go
• oryx/httpx/ssrf.go
• oryx/otelx/middleware.go
• oryx/prometheusx/metrics.go
• oryx/region/region.go
• oryx/watcherx/directory.go
• spec/config.json

✅ Files skipped from review due to trivial changes (4)

• oryx/httpx/ssrf.go
• oryx/watcherx/directory.go
• oryx/region/region.go
• oryx/otelx/middleware.go

---

📝 Walkthrough

Walkthrough

Adds an optional exp claim to backchannel logout JWTs controlled by new ttl.logout_token config (default 0). Captures now for iat, exposes provider accessor and JSON schema, and updates tests for both configured and unconfigured TTL. Also contains unrelated import/formatting reorder edits.

Changes

Logout Token Expiration

Layer / File(s)	Summary
Configuration and Contract driver/config/provider.go, spec/config.json	New exported constant KeyLogoutTokenLifespan ("ttl.logout_token") and DefaultProvider.GetLogoutTokenLifespan(ctx) reading the logout token TTL with default 0. Schema adds ttl.logout_token as a duration string with docs about exp handling.
JWT Claims Implementation consent/strategy_default.go	executeBackChannelLogout captures now := time.Now().UTC() for iat and conditionally includes exp when GetLogoutTokenLifespan(ctx) returns non-zero.
Test Coverage consent/strategy_logout_test.go	Adds assertion that exp is absent when unconfigured and a new test that sets ttl.logout_token = 2m, runs the backchannel logout flow, and validates exp ≈ iat + 120s.

Non-functional import/formatting edits

Layer / File(s)	Summary
Import reorders and whitespace tweaks oryx/httpx/ssrf.go, oryx/otelx/middleware.go, oryx/prometheusx/metrics.go, oryx/region/region.go, oryx/watcherx/directory.go	Reordered non-stdlib imports and adjusted whitespace/alignment in a struct field; no behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Logout token does not contains exp claim #4035: Addresses the reported missing exp claim in backchannel logout tokens by adding optional exp controlled via configuration.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an optional exp claim to back-channel logout tokens.
Description check	✅ Passed	The description is complete, covering the OpenID Connect spec requirement, the new configuration option, backward compatibility, related issue link, and all checklist items are marked complete.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/config.json`:
- Around line 731-733: The description for the logout token duration refers to
setting the value to numeric "0" but the schema is a duration string; update the
wording to require the zero duration to be expressed as "0s" (or another valid
duration string) and clarify that a plain numeric 0 is invalid. Locate the
description string in spec/config.json (the logout token duration field) and
change "set to 0" to "set to \"0s\" (zero seconds) or left unset" and mention it
must follow the duration string format defined by the schema.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c9ede95e-17e3-447a-9dd3-741ae4856633

📥 Commits

Reviewing files that changed from the base of the PR and between 2e62d4d and d5bb3c2.

📒 Files selected for processing (4)

• consent/strategy_default.go
• consent/strategy_logout_test.go
• driver/config/provider.go
• spec/config.json