How to configure OAuth token expiry duration to a smaller value, e.g., 2 minutes, for adapters on a MobileFirst Foundation Server?
The expiry value can be set by using in the application's application-descriptor.xml file. The element is optional and defines the expiration period (in seconds) of OAuth access tokens. The default is 3600 seconds (one hour).
If the expiry has to be enforce on server side, as opposed to in the application, we can implement the following.
To pass validation, both a scope token and its containing token(access token) must not be expired.Each scope token (realm name) has its own expiration time, which can be different than the expiration time of the containing access token.The expiration period of a scope token (realm name) is defined by the expirationInSeconds attribute of the login module that is associated with the realm whereas an access token contains the scope that is required by the application.It does contains
the realms which are defines in security tests.
Use the custom security test to protect the adapter.The scope of an access token must be pre-defined for this custom security test.The expiration period of a scope token (realm name) is defined by the expirationInSeconds attribute of the login module that is associated with the realm.
Please follow the below links to configure server side configuration for adapters.
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/using-mobilefirst-server-authenticate-external-resources/
http://public.dhe.ibm.com/software/products/en/MobileFirstPlatform/docs/v700/mobilefirst_platform_foundation_doc.pdf
Related
Is it possible to modify access token/refresh token expiry time in Keycloak using code?
I have checked documentation but there is no endpoint which can be used to modify token settings.
Currently, there is no specific endpoint for that. There is, however, endpoints that allows one to change the Realm and Client settings that would affect the access and refresh token expiration time.
I'm using IdentityServer4 in ASP.NET Core 2.2. The client application (RP) is an API, also an ASP.NET Core 2.2 application. The user logs in using the authorization code flow and gets a cookie from IdentityServer (idsrv). They then get an authorization code and and access token for the API (RP).
I want to be able to revoke a user's existing login session and access tokens in some cases, e.g. if their password has been reset. In IdentityServer I've implemented added my own authentication scheme:
.AddCookie("MyAuthenticationScheme", options =>
{
options.SessionStore = new MyTicketStore();
options.EventsType = typeof(MyCookieAuthenticationEvents);
})
This allows me to invalidate the user's IdentityServer session on the server before the authentication ticket expires. For example, when the user is signed in I add a claim that stores the date their password was last changed and in MyCookieAuthenticationEvents.ValidatePrincipal() I check that it has not been changed since, as suggested on https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2#react-to-back-end-changes
I want to do the same with the access token they use the access the RP. If the user's password has changed (and in some other cases) I want the access token to be invalidated immediately, rather than waiting for it to expire. I'm using reference tokens and have implemented IProfileService and ICustomTokenValidator. In IProfileService.GetProfileDataAsync I copy the password change date claim to the access token claims collection and in ICustomTokenValidator.ValidateAccessTokenAsync I again check that claim against the real user.
This works, but it seems quite convoluted and complicated and I wonder if there is a simpler way to accomplish this - it seems like this should be a common requirement.
If you are using reference tokens, all you need to in order to invalidate the token is to remove it from whatever implementation of IPersistedGrantStore you have and the next time reference token is attempted to be validated through introspection, it will be invalid since it will no longer exist.
I have 2 website that are using identity server Authentication (which is a third website)
if i log out from the identity server website (i am using quick start) how can i force the 2 other website to validate if the user is still log in, and this on every round trip to the server (post back).
For browser based apps you can call the session endpoint:
All applications that the user has logged into via the browser during
the user’s session can participate in the sign-out.
This will however not invalidate JWT tokens as these are self-contained and remain valid until expiration.
The only way to logout a JWT 'almost realtime', is to set the expiration to a minimum and use refresh tokens to renew the access token.
These refresh tokens can be revoked using the revocation endpoint:
This endpoint allows revoking access tokens (reference tokens only)
and refresh token.
This way you don't need a roundtrip on each call. An alternative that does is to use reference tokens:
When using reference tokens - IdentityServer will store the contents
of the token in a data store and will only issue a unique identifier
for this token back to the client. The API receiving this reference
must then open a back-channel communication to IdentityServer to
validate the token.
Using the revocation endpoint you can revoke the reference tokens at any time you like.
I have a web service that users can sign into and so forth. I'd like to setup AWS API Gateway to allow the users to interact with the service via APIs. As the user management / password management is already in the system I don't want the user to have to go to another system.
I first looked at Cognito user pools but I couldn't automate fully the user creation / verification process, AWS in a support ticket said the user would have to verify the email separately. They then suggested to use a Lambda function to setup authorisation.
I've created a Lambda function and the API Gateway is authorizing however it looks like only one variable is sent for authorization, the Identity token. If I did this my Lambda function could find from my service that the key is valid but it's not really associated for a user.
What I'm after is a way to provide a user with a client id and passkey from my system (I can generate all of that), the user then does a request to the API Gateway end point with the client id and passkey, gateway sends the client id and passkey to the lambda function that calls my system for verification, Lambda returns the valid policy, API Gateway then sends the request to my service with either the client ID or some other identifier thats come back from the policy so my system knows the requesting client.
What would be the best way to achieve this without taking the user to a seperate system (Cognito)?
Turns out that your timing might have just been a Day or so early. What you would have experienced with custom authorizers before is the TOKEN authorizer. Today they noticed expanded support for custom authorizers with a new REQUEST authorizer type. The new REQUEST type supports a much expanded dataset for authorizing requests, such as request parameters, headers, query strings, and more. Check out the Custom authorizer types for further information.
Is it possible to configure jwt token expiration time (exp property) for an Okta OpenId Connect application?
It seems to be set to 1 hour from issuing time (iat property) for both implicit and authorization code grants.
the expiration time of our OIDC tokens is not configurable and is indeed fixed to 1 hour. It's up to your app to use the refresh token and ask for a new access token (in the authorization code flow scenario) or simply call the authorize endpoint again to get a newer token (in the case of the implicit flow).