Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-14689

IDM support for access tokens issued from multiple realms

    Details

      Description

      Currently, the rsFilter feature of IDM can only introspect access tokens for a single realm. Customers frequently choose to use multiple realms in AM, however. Users for any realm which is not the one configured in IDM will be unable to use any IDM-related features. This includes self-service trees (since the tree is configured within a realm, and the client used by the tree is also configured within that realm, and so the AT used when AM communicates to IDM is also only valid within that realm).

      Thoughts on possible solutions:

      IDM must have some way to know which realm is associated with a given AT. One possibility would be if we are willing to require that AM use client-based ATs when in "platform" mode; we could change IDM's introspection logic to look within the jwt and find the realm as a claim. Using this, IDM could use that detail (along with the subject) to find the appropriate realm-based-user (however realms are represented in the IDM data layer; this is a separate concern).

      Another possibility is to change AM so that parent realms can introspect ATs issued to sub-realms (and change it so that the introspection response includes the realm). Then IDM can simply use AM's root-level introspection endpoint to get the realm.

      A less ideal option would be to allow multiple configuration blocks within IDM's rsFilter - one per realm. Then IDM would have to loop through each block and test each introspection endpoint, to see if any of them recognize the given access token. While this would work, it would also generate more traffic between AM and IDM (especially when there are a large number of realms).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brmiller Brendan Miller
                Reporter:
                jake.feasel Jake Feasel
                QA Assignee:
                Jon Branch
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: