[OPENAM-6236] Add token life time options per OAuth2 client Created: 24/Jun/15 Updated: 20/Nov/16 Resolved: 10/Jul/15 |
|
Status: | Resolved |
Project: | OpenAM |
Component/s: | oauth2, OpenID Connect |
Affects Version/s: | 13.0.0 |
Fix Version/s: | 12.0.3, 13.0.0 |
Type: | New Feature | Priority: | Major |
Reporter: | NRI Support Team | Assignee: | kohei |
Resolution: | Fixed | Votes: | 1 |
Labels: | release-notes | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
||||||||
Target Version/s: | |||||||||
Support Ticket IDs: |
Description |
This is an enhance request to add token life time options per OAuth2/OpenID Connect client:
Background of enhancement Currently, token life times can be set per OAuth2 service (in other words, per realm). If we want to use various OAuth2 clients, we cannot set the times according to client's security level (can only set the times to the lowest values for the client having the highest security risk). In this case, OpenAM servers have to process requests more than actually needed. |
Comments |
Comment by Peter Major [X] (Inactive) [ 14/Jul/15 ] |
Backport to be evaluated with Andy Hall. |
Comment by Alex Walker [X] (Inactive) [ 14/Jul/15 ] |
I believe this has caused issues when dynamically registering a client without a access token. Is this expect, if so: When dynamically creating a client through REST what parameters should I pass for these 4 new values? else I will raise a bug. |
Comment by kohei [ 15/Jul/15 ] |
Hi Alex, I could not reproduce issues. # curl "http://openam01.example.co.jp:8080/openam/oauth2/connect/register" -H "Authorization: Bearer 2b3e09b7-e986-44b4-a4c7-81dc4104d206" --data-binary "{""redirect_uris"":[""http://openam01.example.co.jp:8080/openid/cb-basic.html"",""http://openam01.example.co.jp:8080/openid/cb-implicit.html""]}" {"public_key_selector":"x509","application_type":"web","default_max_age_enabled":false,"default_max_age":1,"token_endpoint_auth_method":"client_secret_basic","registration_client_uri":"http://openam01.example.co.jp:8080/openam/oauth2/connect/register?client_id=0cd00f7a-16ca-4639-81d5-076da311e465","scopes":["phone","address","email","openid","profile"],"client_secret":"88a024b5-667e-45b2-b857-50ebb3e8eddb","client_type":"Confidential","registration_access_token":"2b3e09b7-e986-44b4-a4c7-81dc4104d206","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1436924649,"client_id":"0cd00f7a-16ca-4639-81d5-076da311e465","client_secret_expires_at":0,"response_types":["code"]} Could you tell me how to reproduce? |
Comment by Alex Walker [X] (Inactive) [ 15/Jul/15 ] |
Please see linked ticket for reproduction steps and curl. However creation is done without a bearer token with dynamic registration. |
Comment by kohei [ 15/Jul/15 ] |
I could confirm the issue. If you are busy, please change the assignee for |
Comment by Peter Major [X] (Inactive) [ 29/Feb/16 ] |
This backport also relies on https://stash.forgerock.org/projects/OPENAM/repos/openam/commits/233ada1b3042c49511efc821390efaceee9d5e25 to correct the labels for the new settings. |