Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11278

Add ability to associate AuthLevel with an access token


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0
    • Fix Version/s: 14.5.0
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 40
    • Story Points:
    • Support Ticket IDs:


      All OAuth2 flows except client credentials traverse a particular chain for AuthN before generating access tokens. The "system" therefore knows the AuthLevel when generating the access token, however this is lost after the point of creation and non retrievable thereafter. 

      The request is to preserve the authentication level (AuthLevel) for access tokens (perhaps in CTS as a new attribute or added to the existing CoreTokenObject attribute. 

      Note: the Auth Code token already preserves the full SSO token in CoreTokenObject and in the CoreTokenString13 attribute so perhaps this could be used to either persist the whole SSO token to the access token CTS attributes or probably better is to extract AuthLevel at the point of access token creation in case the SSO token has a shorter validity period to access token and expires. Of course this would not be applicable to implicit or resource owner flows.

      In addition to try remain spec compliant this functionality should map to a custom scope and if specified by the client the introspect endpoint returns the actual authentication level at the point of creation of the access token.


          Issue Links



              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                shokard Darinder Shokar
              • Votes:
                0 Vote for this issue
                9 Start watching this issue


                • Created: