[OPENAM-11278] Add ability to associate AuthLevel with an access token Created: 14/Jun/17  Updated: 11/Sep/19  Resolved: 15/Sep/17

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0
Fix Version/s: 14.5.0

Type: Improvement Priority: Major
Reporter: Darinder Shokar Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON, Must-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-15424 Setting auth_level on access token ge... Resolved
is related to OPENAM-13919 Compatibility of tokeninfo endpoint r... Open
Target Version/s:
Sprint: AM Sustaining Sprint 40
Story Points: 5
Support Ticket IDs:


All OAuth2 flows except client credentials traverse a particular chain for AuthN before generating access tokens. The "system" therefore knows the AuthLevel when generating the access token, however this is lost after the point of creation and non retrievable thereafter. 

The request is to preserve the authentication level (AuthLevel) for access tokens (perhaps in CTS as a new attribute or added to the existing CoreTokenObject attribute. 

Note: the Auth Code token already preserves the full SSO token in CoreTokenObject and in the CoreTokenString13 attribute so perhaps this could be used to either persist the whole SSO token to the access token CTS attributes or probably better is to extract AuthLevel at the point of access token creation in case the SSO token has a shorter validity period to access token and expires. Of course this would not be applicable to implicit or resource owner flows.

In addition to try remain spec compliant this functionality should map to a custom scope and if specified by the client the introspect endpoint returns the actual authentication level at the point of creation of the access token.

Comment by Peter Major [ 14/Jun/17 ]

NB: resource owner password grant authenticates the end-user by performing a noSession authentication. We should consider updating the AuthContext API to expose the AuthLevel even when there is no session associated with the successful login.

Comment by Phill Cunnington [ 19/Jun/17 ]

Darinder Shokar would it be possible to use stateless OAuth2 in this scenario? We could then explore the possibility of adding the AuthLevel to the stateless access token JWT.

Comment by Darinder Shokar [ 20/Jun/17 ]

Phill Cunnington - I think stateless OAuth2 is a valid use case for many customers, however for this customer it's a no go for now.

Comment by Quentin CASTEL [X] (Inactive) [ 09/Oct/17 ]

I created AME-14778 to track the doc side of this RFE

Generated at Tue Mar 31 19:03:57 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.