[OPENAM-6236] Add token life time options per OAuth2 client Created: 24/Jun/15  Updated: 20/Nov/16  Resolved: 10/Jul/15

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 13.0.0
Fix Version/s: 12.0.3, 13.0.0

Type: New Feature Priority: Major
Reporter: NRI Support Team Assignee: kohei
Resolution: Fixed Votes: 1
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-6382 Dynamic openID Connect client registr... Resolved
Target Version/s:
Support Ticket IDs:

 Description   

This is an enhance request to add token life time options per OAuth2/OpenID Connect client:

  • Authorization Code Life Time (Seconds)
  • Access Token Life Time (Seconds)
  • Refresh Token Life Time (Seconds)
  • JWT Token Life Time (Seconds)

Background of enhancement

Currently, token life times can be set per OAuth2 service (in other words, per realm). If we want to use various OAuth2 clients, we cannot set the times according to client's security level (can only set the times to the lowest values for the client having the highest security risk). In this case, OpenAM servers have to process requests more than actually needed.



 Comments   
Comment by Peter Major [X] (Inactive) [ 14/Jul/15 ]

Backport to be evaluated with Andy Hall.

Comment by Alex Walker [X] (Inactive) [ 14/Jul/15 ]

I believe this has caused issues when dynamically registering a client without a access token.

Is this expect, if so:

When dynamically creating a client through REST what parameters should I pass for these 4 new values?

else I will raise a bug.

Comment by kohei [ 15/Jul/15 ]

Hi Alex,

I could not reproduce issues.

# curl "http://openam01.example.co.jp:8080/openam/oauth2/connect/register" -H "Authorization: Bearer 2b3e09b7-e986-44b4-a4c7-81dc4104d206" --data-binary "{""redirect_uris"":[""http://openam01.example.co.jp:8080/openid/cb-basic.html"",""http://openam01.example.co.jp:8080/openid/cb-implicit.html""]}"
{"public_key_selector":"x509","application_type":"web","default_max_age_enabled":false,"default_max_age":1,"token_endpoint_auth_method":"client_secret_basic","registration_client_uri":"http://openam01.example.co.jp:8080/openam/oauth2/connect/register?client_id=0cd00f7a-16ca-4639-81d5-076da311e465","scopes":["phone","address","email","openid","profile"],"client_secret":"88a024b5-667e-45b2-b857-50ebb3e8eddb","client_type":"Confidential","registration_access_token":"2b3e09b7-e986-44b4-a4c7-81dc4104d206","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1436924649,"client_id":"0cd00f7a-16ca-4639-81d5-076da311e465","client_secret_expires_at":0,"response_types":["code"]}

Could you tell me how to reproduce?

Comment by Alex Walker [X] (Inactive) [ 15/Jul/15 ]

Please see linked ticket for reproduction steps and curl. However creation is done without a bearer token with dynamic registration.

Comment by kohei [ 15/Jul/15 ]

I could confirm the issue. If you are busy, please change the assignee for OPENAM-6382 to me.

Comment by Peter Major [X] (Inactive) [ 29/Feb/16 ]

This backport also relies on https://stash.forgerock.org/projects/OPENAM/repos/openam/commits/233ada1b3042c49511efc821390efaceee9d5e25 to correct the labels for the new settings.

Generated at Sat Oct 24 01:15:15 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.