[OPENAM-11278] Add ability to associate AuthLevel with an access token Created: 14/Jun/17 Updated: 11/Sep/19 Resolved: 15/Sep/17
|Affects Version/s:||13.5.0, 13.5.1, 14.0.0, 14.1.0|
|Reporter:||Darinder Shokar||Assignee:||Quentin CASTEL [X] (Inactive)|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||AM Sustaining Sprint 40|
|Support Ticket IDs:|
All OAuth2 flows except client credentials traverse a particular chain for AuthN before generating access tokens. The "system" therefore knows the AuthLevel when generating the access token, however this is lost after the point of creation and non retrievable thereafter.
The request is to preserve the authentication level (AuthLevel) for access tokens (perhaps in CTS as a new attribute or added to the existing CoreTokenObject attribute.
Note: the Auth Code token already preserves the full SSO token in CoreTokenObject and in the CoreTokenString13 attribute so perhaps this could be used to either persist the whole SSO token to the access token CTS attributes or probably better is to extract AuthLevel at the point of access token creation in case the SSO token has a shorter validity period to access token and expires. Of course this would not be applicable to implicit or resource owner flows.
In addition to try remain spec compliant this functionality should map to a custom scope and if specified by the client the introspect endpoint returns the actual authentication level at the point of creation of the access token.
|Comment by Peter Major [ 14/Jun/17 ]|
NB: resource owner password grant authenticates the end-user by performing a noSession authentication. We should consider updating the AuthContext API to expose the AuthLevel even when there is no session associated with the successful login.
|Comment by Phill Cunnington [ 19/Jun/17 ]|
Darinder Shokar would it be possible to use stateless OAuth2 in this scenario? We could then explore the possibility of adding the AuthLevel to the stateless access token JWT.
|Comment by Darinder Shokar [ 20/Jun/17 ]|
Phill Cunnington - I think stateless OAuth2 is a valid use case for many customers, however for this customer it's a no go for now.
|Comment by Quentin CASTEL [X] (Inactive) [ 09/Oct/17 ]|
I created AME-14778 to track the doc side of this RFE