Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16677

Provide a supported code level API to find and delete existing SSO Tokens


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 5.5.1, 6.0.0,,,,,, 6.5.0,,,, 6.5.1,, 6.5.2,,,, 5.5.2, 7.0.0
    • Fix Version/s: None
    • Component/s: scripting, session, trees
    • Labels:
    • Support Ticket IDs:


      A common use case for customers is they want to be able to not only lock a given user, but also find and delete all existing active tokens for said user as part of the AuthN journey. This can be achieved through the REST API - see https://medium.com/@darinder.shokar/how-to-lockout-a-user-and-delete-all-their-active-tokens-in-forgerock-am-b3fb2fe7ea92 but this is more of a reactive over proactive approach (i.e. automatic as part of the AuthN journey).

      What would also be extremely useful is if a custom node (ideally scripted for PaaS support) or Java based could call internal public APIs to execute the same functionality as these REST calls. This can be done now by effectively mimicking the above REST calls, however building a node (scripted or Java) to effectively call back into itself over HTTP is wasteful, inefficient and needlessly consumes threads.

      The com.iplanet.dpro.session.service.SessionService API is not public and com.iplanet.sso.SSOTokenManager doesn't look to be able to take a UID (only an SSO token).

      The request is to provide a public API which custom scripted or Java nodes code leverage to satisfy this use case without the need to make internal invocation calls over HTTP.

      Example Tree attached.




            • Assignee:
              shokard Darinder Shokar
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: