Make JWT expiration time configurable

and drop attempt to set JWT header (golang-jwt/jwt does not seem to use TokenOptions ever)

modules/setting/actions.go

@@ -27,6 +27,7 @@ var (
 		LimitDispatchInputs      int64             `ini:"LIMIT_DISPATCH_INPUTS"`
 		JWTSigningAlgorithm      string            `ini:"JWT_SIGNING_ALGORITHM"`
 		JWTSigningPrivateKeyFile string            `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
+		JWTExpirationTime        time.Duration     `ini:"JWT_EXPIRATION_TIME"`
 	}{
 		Enabled:                  true,
 		DefaultActionsURL:        defaultActionsURLForgejo,
@@ -34,6 +35,7 @@ var (
 		LimitDispatchInputs:      10,
 		JWTSigningAlgorithm:      "EdDSA",
 		JWTSigningPrivateKeyFile: "actions_oidc/private.pem",
+		JWTExpirationTime:        time.Hour,
 	}
 )
 

routers/api/actions/oidc.go

@@ -160,9 +160,9 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
 		"runner_environment":    "self-hosted", // not sure what this should be set to, github will have either "github-hosted" or "self-hosted"
 		"iss":                   setting.AppURL + setting.AppSubURL + "/api/actions_idtoken",
 		"nbf":                   jwt.NewNumericDate(iat),
-		"exp":                   jwt.NewNumericDate(iat.Add(time.Minute * 15)),
+		"exp":                   jwt.NewNumericDate(iat.Add(setting.Actions.JWTExpirationTime)),
 		"iat":                   jwt.NewNumericDate(iat),
-	}, addTokenHeaders(o.signingKey))
+	})
 
 	signedJWT, err := token.SignedString(o.signingKey.SignKey())
 	if err != nil {
@@ -212,12 +212,3 @@ func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.R
 		return
 	}
 }
-
-func addTokenHeaders(key jwtx.JWTSigningKey) jwt.TokenOption {
-	return func(t *jwt.Token) {
-		kid := key.KID()
-		if kid != "" {
-			t.Header["kid"] = kid
-		}
-	}
-}