Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2762

PolicyEnforcementFilter does not re-authenticate after expiry of a stateless application token

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 5.5.0
    • Fix Version/s: 5.5.0, 6.5.0
    • Component/s: OpenAM
    • Labels:
      None
    • Support Ticket IDs:
    • Story Points:
      0

      Description

      Adding this as an IG issue just for tracking purposes as the issue may be in AM only - OPENAM-13162.

      If a PolicyEnforcementFilter is in a realm configured to use stateless tokens, once the pepUser's token expires IG will not re-authenticate but will instead return an error.

      Workaround:

      Put the pepUser in a realm that uses stateful tokens.

       

      Shouldn't be an issue on 6.0 as long-lived application tokens are used instead and there doesn't seem to be a way to change the validity of a stateless application token.

      com.iplanet.am.session.agentSessionIdleTime

      Time in minutes after which a web or Java agent's CTS-based session expires. Note that this setting is ignored when AM creates a client-based session for a web or Java agent.

       

      Default: 0 (never time out). You can set this property to 0, or 30 and higher (no maximum limit).

      https://backstage.forgerock.com/docs/am/6/reference/#server-advanced

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              andrew.dunn Andrew Dunn [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: